9.1

CVE-2020-7059

Exploit

When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.

Data is provided by the National Vulnerability Database (NVD)
PhpPhp Version >= 7.2.0 < 7.2.27
PhpPhp Version >= 7.3.0 < 7.3.14
PhpPhp Version >= 7.4.0 < 7.4.2
TenableTenable.Sc Version < 5.19.0
OpensuseLeap Version15.1
DebianDebian Linux Version8.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 2.16% 0.836
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvd@nist.gov 6.4 10 4.9
AV:N/AC:L/Au:N/C:P/I:N/A:P
security@php.net 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://usn.ubuntu.com/4279-1/
Patch
Third Party Advisory
https://seclists.org/bugtraq/2020/Feb/27
Third Party Advisory
Mailing List
https://seclists.org/bugtraq/2020/Feb/31
Third Party Advisory
Mailing List
https://seclists.org/bugtraq/2021/Jan/3
Third Party Advisory
Mailing List
https://bugs.php.net/bug.php?id=79099
Vendor Advisory
Exploit