Description

This alert was generated using only banner information. It may be a false positive.

Two problems have been reported in PHP versions older than 4.3.8. One may allow an attacker to execute arbitrary code on the remote host if memory_limit is set. The other problem is related with strip_tags function which is unable to properly filter null (\0) characters within tag names. This vulnerability may facilitate the exploitation of XSS (cross site scripting) vulnerabilities on Internet Explorer and Safari web browsers.

Affected PHP versions (up to 4.3.7).

Remediation

Upgrade PHP to the latest version.

References

CAN-2004-0594

CAN-2004-0595

PHP Homepage

Related Vulnerabilities

WordPress Plugin WP Popup Lite-Responsive popup for WordPress includes Backdoor [Only if downloaded via the vendor website] (1.0.8)

WordPress Plugin Feed Them Social-for Twitter feed, Youtube and more Cross-Site Request Forgery (2.8.6)

WordPress Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2008-0491)

Oracle Application Server CVE-2008-3977 Vulnerability (CVE-2008-3977)

WordPress Plugin WP Events Calendar 'event_id' Parameter SQL Injection (6.5.2)

Severity

Medium

Classification

CVE-2004-0594 CVE-2004-0595 CWE-1104 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update Denial Of Service Code Execution