Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

PHP Other Vulnerability (CVE-2019-11044)

Description

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

Remediation

References

Related Vulnerabilities

WordPress Plugin BulletProof Security Cross-Site Scripting (.52.4)

WordPress Plugin Translate Multilingual sites-TranslatePress Cross-Site Scripting (2.0.8)

Drupal Core 6.x Remote Code Execution (6.0 - 6.38)

Handlebars Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2019-20922)

Moodle Numeric Errors Vulnerability (CVE-2011-4305)

Severity

High

Classification

CVE-2019-11044 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities