6.4 Medium
AI Score
Confidence
Low
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.011 Low
EPSS
Percentile
84.2%
Unspecified vulnerability in session.c in PHP before 5.1.3 has unknown impact and attack vectors, related to “certain characters in session names,” including special characters that are frequently associated with CRLF injection, SQL injection, cross-site scripting (XSS), and HTTP response splitting vulnerabilities. NOTE: while the nature of the vulnerability is unspecified, it is likely that this is related to a violation of an expectation by PHP applications that the session name is alphanumeric, as implied in the PHP manual for session_name().
CPE | Name | Operator | Version |
---|---|---|---|
php_group:php | php group php | le | 5.1.2 |
ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
rhn.redhat.com/errata/RHSA-2006-0736.html
secunia.com/advisories/19927
secunia.com/advisories/21050
secunia.com/advisories/22004
secunia.com/advisories/22069
secunia.com/advisories/22225
secunia.com/advisories/22440
secunia.com/advisories/22487
secunia.com/advisories/23247
securitytracker.com/id?1016306
support.avaya.com/elmodocs2/security/ASA-2006-221.htm
support.avaya.com/elmodocs2/security/ASA-2006-222.htm
www.mandriva.com/security/advisories?name=MDKSA-2006:122
www.osvdb.org/25253
www.php.net/release_5_1_3.php
www.redhat.com/support/errata/RHSA-2006-0669.html
www.redhat.com/support/errata/RHSA-2006-0682.html
www.securityfocus.com/archive/1/447866/100/0/threaded
www.securityfocus.com/bid/17843
www.turbolinux.com/security/2006/TLSA-2006-38.txt
www.ubuntu.com/usn/usn-320-1
issues.rpath.com/browse/RPL-683
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10597