Lucene search

K

PRIOn knowledge basePRION:CVE-2010-3870

HistoryNov 12, 2010 - 9:00 p.m.

Cross site scripting

2010-11-1221:00:00

PRIOn knowledge base

www.prio-n.com

3

6.9 Medium

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

74.6%

The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string.

CPENameOperatorVersion
ubuntu_linuxeq10.10
ubuntu_linuxeq9.10
ubuntu_linuxeq8.04
ubuntu_linuxeq10.04
ubuntu_linuxeq6.06
phplt5.2.14
phpge5.3.0
phplt5.3.4

References

bugs.php.net/bug.php?id=48230

bugs.php.net/bug.php?id=49687

lists.apple.com/archives/security-announce/2011/Mar/msg00006.html

lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html

secunia.com/advisories/42410

secunia.com/advisories/42812

support.apple.com/kb/HT4581

svn.php.net/viewvc?view=revision&revision=304959

us2.php.net/manual/en/function.utf8-decode.php

www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf

www.mandriva.com/en/security/advisories?name=MDVSA-2010:224

www.openwall.com/lists/oss-security/2010/11/02/1

www.openwall.com/lists/oss-security/2010/11/02/11

www.openwall.com/lists/oss-security/2010/11/02/2

www.openwall.com/lists/oss-security/2010/11/02/4

www.openwall.com/lists/oss-security/2010/11/02/6

www.openwall.com/lists/oss-security/2010/11/02/8

www.openwall.com/lists/oss-security/2010/11/03/1

www.php.net/ChangeLog-5.php

www.redhat.com/support/errata/RHSA-2010-0919.html

www.redhat.com/support/errata/RHSA-2011-0195.html

www.securityfocus.com/bid/44605

www.securitytracker.com/id?1024797

www.ubuntu.com/usn/USN-1042-1

www.vupen.com/english/advisories/2010/3081

www.vupen.com/english/advisories/2011/0020

www.vupen.com/english/advisories/2011/0021

www.vupen.com/english/advisories/2011/0077

lists.fedoraproject.org/pipermail/package-announce/2011-January/052836.html

lists.fedoraproject.org/pipermail/package-announce/2011-January/052845.html

marc.info/?l=bugtraq&m=133469208622507&w=2

sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html

www.acunetix.com/blog/web-security-articles/security-risks-associated-with-utf8_decode/

6.9 Medium

AI Score

Confidence

High

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

74.6%

Related for PRION:CVE-2010-3870

ubuntucve2 veracode1 openvas37 securityvulns6 nessus24 cve2 prion1 oraclelinux2 redhat2 osv1 debian1 centos1 ubuntu1 fedora6 f52 gentoo1