6.8
CVE-2010-3870
- EPSS 11.28%
- Veröffentlicht 12.11.2010 21:00:02
- Zuletzt bearbeitet 16.06.2026 23:23:43
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Canonical ≫ Ubuntu Linux Version6.06
Canonical ≫ Ubuntu Linux Version8.04 SwEdition-
Canonical ≫ Ubuntu Linux Version9.10
Canonical ≫ Ubuntu Linux Version10.04 SwEdition-
Canonical ≫ Ubuntu Linux Version10.10
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 11.28% | 0.954 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
http://www.php.net/ChangeLog-5.php
http://secunia.com/advisories/42410
http://www.redhat.com/support/errata/RHSA-2010-0919.html
http://www.vupen.com/english/advisories/2010/3081
http://marc.info/?l=bugtraq&m=133469208622507&w=2
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html
http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html
http://support.apple.com/kb/HT4581
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052836.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052845.html
http://secunia.com/advisories/42812
http://www.ubuntu.com/usn/USN-1042-1
http://www.vupen.com/english/advisories/2011/0020
http://www.vupen.com/english/advisories/2011/0021
http://www.vupen.com/english/advisories/2011/0077
http://www.redhat.com/support/errata/RHSA-2011-0195.html
http://bugs.php.net/bug.php?id=48230
http://bugs.php.net/bug.php?id=49687
http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html
http://svn.php.net/viewvc?view=revision&revision=304959
http://us2.php.net/manual/en/function.utf8-decode.php#83935
http://www.acunetix.com/blog/web-security-articles/security-risks-associated-with-utf8_decode/
http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf
http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:224
http://www.openwall.com/lists/oss-security/2010/11/02/1
http://www.openwall.com/lists/oss-security/2010/11/02/11
http://www.openwall.com/lists/oss-security/2010/11/02/2
http://www.openwall.com/lists/oss-security/2010/11/02/4
http://www.openwall.com/lists/oss-security/2010/11/02/6
http://www.openwall.com/lists/oss-security/2010/11/02/8
http://www.openwall.com/lists/oss-security/2010/11/03/1
http://www.securityfocus.com/bid/44605
http://www.securitytracker.com/id?1024797