Description

This alert was generated using only banner information. It may be a false positive.

Two problems have been reported in PHP versions older than 4.3.8. One may allow an attacker to execute arbitrary code on the remote host if memory_limit is set. The other problem is related with strip_tags function which is unable to properly filter null (\0) characters within tag names. This vulnerability may facilitate the exploitation of XSS (cross site scripting) vulnerabilities on Internet Explorer and Safari web browsers.

Affected PHP versions (up to 4.3.7).

Remediation

Upgrade PHP to the latest version.

References

CAN-2004-0594

CAN-2004-0595

PHP Homepage

Related Vulnerabilities

WordPress Plugin AgentEasy Properties Cross-Site Scripting (1.0.4)

Oracle Database Server CVE-2014-6452 Vulnerability (CVE-2014-6452)

WordPress Plugin Tutor LMS-eLearning and online course solution Cross-Site Scripting (1.9.10)

WordPress Plugin Newsletter-Send awesome emails from WordPress Open Redirect (2.6.4.4)

Ruby on Rails Uncontrolled Resource Consumption Vulnerability (CVE-2021-22880)

Severity

Medium

Classification

CVE-2004-0594 CVE-2004-0595 CWE-1104 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update Denial Of Service Code Execution