Description

In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.

Remediation

References

CVE-2020-7067

Related Vulnerabilities

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-9584)

Oracle Database Server CVE-2014-6577 Vulnerability (CVE-2014-6577)

Oracle Database Server CVE-2008-2591 Vulnerability (CVE-2008-2591)

OpenSSL Use of a Broken or Risky Cryptographic Algorithm Vulnerability (CVE-2018-0737)

Jenkins Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2015-5318)

Severity

High

Classification

CVE-2020-7067 CWE-125 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities