Description

In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.

Remediation

References

CVE-2020-7067

Related Vulnerabilities

Joomla! Core 1.6.x Cross-Site Scripting (1.6.0 - 1.6.3)

IBM RTC Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-1984)

MySQL Improper Link Resolution Before File Access ('Link Following') Vulnerability (CVE-2008-4098)

WordPress Plugin Easy Plugin for AdSense Cross-Site Request Forgery (6.06)

WordPress Plugin WP BASE Booking of Appointments, Services and Events PHP Object Injection (3.5.0)

Severity

High

Classification

CVE-2020-7067 CWE-125 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities