Description

In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.

Remediation

References

CVE-2020-7067

Related Vulnerabilities

WordPress Plugin SS Downloads Multiple Cross-Site Scripting Vulnerabilities (1.4.4.1)

XWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2023-29517)

WordPress Plugin Secure File Manager Remote Code Execution (2.8.1)

Moodle Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2015-1493)

Drupal Inclusion of Functionality from Untrusted Control Sphere Vulnerability (CVE-2017-6381)

Severity

High

Classification

CVE-2020-7067 CWE-125 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities