CVE-2020-7059
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Summary
When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| PHP Group | PHP | 7.2.x < 7.2.27 | affected |
| PHP Group | PHP | 7.3.x < 7.3.14 | affected |
| PHP Group | PHP | 7.4.x < 7.4.2 | affected |
Weaknesses
- CWE-125: CWE-125 Out-of-bounds Read
Workarounds
Usage of fgetss() has been DEPRECATED as of PHP 7.3.0. Please use strip_tags() or other means sanitizing HTML code.
ADP Enrichment
CVE Program Container
Additional References
- https://seclists.org/bugtraq/2020/Feb/27
- https://www.debian.org/security/2020/dsa-4626
- https://usn.ubuntu.com/4279-1/
- https://www.debian.org/security/2020/dsa-4628
- https://seclists.org/bugtraq/2020/Feb/31
- https://lists.debian.org/debian-lts-announce/2020/02/msg00030.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html
- https://security.gentoo.org/glsa/202003-57
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://bugs.php.net/bug.php?id=79099
- https://security.netapp.com/advisory/ntap-20200221-0002/
- https://seclists.org/bugtraq/2021/Jan/3
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.tenable.com/security/tns-2021-14
References
- https://seclists.org/bugtraq/2020/Feb/27
- https://www.debian.org/security/2020/dsa-4626
- https://usn.ubuntu.com/4279-1/
- https://www.debian.org/security/2020/dsa-4628
- https://seclists.org/bugtraq/2020/Feb/31
- https://lists.debian.org/debian-lts-announce/2020/02/msg00030.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html
- https://security.gentoo.org/glsa/202003-57
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://bugs.php.net/bug.php?id=79099
- https://security.netapp.com/advisory/ntap-20200221-0002/
- https://seclists.org/bugtraq/2021/Jan/3
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.tenable.com/security/tns-2021-14
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.