CVE-2020-7059

Summary

When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.

Affected Software

VendorProductVersion RangeStatus
PHP GroupPHP7.2.x < 7.2.27affected
PHP GroupPHP7.3.x < 7.3.14affected
PHP GroupPHP7.4.x < 7.4.2affected

Weaknesses

  • CWE-125: CWE-125 Out-of-bounds Read

Workarounds

Usage of fgetss() has been DEPRECATED as of PHP 7.3.0. Please use strip_tags() or other means sanitizing HTML code.

ADP Enrichment

CVE Program Container

Additional References

References