Description

When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.

Remediation

References

CVE-2020-7059

Related Vulnerabilities

Drupal Core 4.6.x Multiple Cross-Site Scripting Vulnerabilities (4.6.0 - 4.6.9)

WordPress Plugin Alpine PhotoTile for Instagram Cross-Site Scripting (1.2.7.5)

Dot CMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-5876)

MySQL CVE-2019-2774 Vulnerability (CVE-2019-2774)

WordPress Plugin Forminator-Contact Form, Payment Form & Custom Form Builder Cross-Site Request Forgery (1.14.8)

Severity

Critical

Classification

CVE-2020-7059 CWE-125 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Tags

Missing Update Known Vulnerabilities