Lucene search

[email protected]NVD:CVE-2010-3870

HistoryNov 12, 2010 - 9:00 p.m.

CVE-2010-3870

2010-11-1221:00:02

CWE-20

[email protected]

web.nvd.nist.gov

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.2%

JSON

The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string.

Affected configurations

NVD

Node

phpphpRange<5.2.14

phpphpRange5.3.0–5.3.4

Node

canonicalubuntu_linuxMatch6.06

canonicalubuntu_linuxMatch8.04-

canonicalubuntu_linuxMatch9.10

canonicalubuntu_linuxMatch10.04-

canonicalubuntu_linuxMatch10.10

References

bugs.php.net/bug.php?id=48230

bugs.php.net/bug.php?id=49687

lists.apple.com/archives/security-announce/2011/Mar/msg00006.html

lists.fedoraproject.org/pipermail/package-announce/2011-January/052836.html

lists.fedoraproject.org/pipermail/package-announce/2011-January/052845.html

lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html

marc.info/?l=bugtraq&m=133469208622507&w=2

secunia.com/advisories/42410

secunia.com/advisories/42812

sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html

support.apple.com/kb/HT4581

svn.php.net/viewvc?view=revision&revision=304959

us2.php.net/manual/en/function.utf8-decode.php#83935

www.acunetix.com/blog/web-security-articles/security-risks-associated-with-utf8_decode/

www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf

www.mandriva.com/en/security/advisories?name=MDVSA-2010:224

www.openwall.com/lists/oss-security/2010/11/02/1

www.openwall.com/lists/oss-security/2010/11/02/11

www.openwall.com/lists/oss-security/2010/11/02/2

www.openwall.com/lists/oss-security/2010/11/02/4

www.openwall.com/lists/oss-security/2010/11/02/6

www.openwall.com/lists/oss-security/2010/11/02/8

www.openwall.com/lists/oss-security/2010/11/03/1

www.php.net/ChangeLog-5.php

www.redhat.com/support/errata/RHSA-2010-0919.html

www.redhat.com/support/errata/RHSA-2011-0195.html

www.securityfocus.com/bid/44605

www.securitytracker.com/id?1024797

www.ubuntu.com/usn/USN-1042-1

www.vupen.com/english/advisories/2010/3081

www.vupen.com/english/advisories/2011/0020

www.vupen.com/english/advisories/2011/0021

www.vupen.com/english/advisories/2011/0077

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.2%

JSON

Related for NVD:CVE-2010-3870

ubuntucve2 veracode1 prion2 openvas37 cve2 nessus24 securityvulns6 cvelist2 nvd1 redhat2 oraclelinux2 osv1 debian1 centos1 ubuntu1 fedora6 f52 gentoo1