CVSS: 5.0EPSS: 2%CPEs: 69EXPL: 2CVE-2010-4409 – PHP 5.3.3 - NumberFormatter::getSymbol Integer Overflow
https://notcve.org/view.php?id=CVE-2010-4409
Integer overflow in the NumberFormatter::getSymbol (aka numfmt_get_symbol) function in PHP 5.3.3 and earlier allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument. Desbordamienteo de entero en la función NumberFormatter::getSymbol (numfmt_get_symbol) de PHP 5.3.3 y versiones anteriores. Permite a atacantes dependiendo del contexto provocar una denegación de servicio (caída de la aplicación) a través de un argumento inválido. PHP version 5.3.3 suffers from a NumberFormatter::getSymbol integer overflow vulnerability. • https://www.exploit-db.com/exploits/15722 http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052836.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052845.html http://lists.opensuse.org/opensuse-updates/2012-01/msg00035.html http://secunia.com/advisories/42812 http://secunia.com/advisories/47674 http://support.apple.com/kb/HT4581 http://svn.php.net/viewvc/php/php-src& • CWE-189: Numeric Errors •
CVSS: 6.8EPSS: 0%CPEs: 88EXPL: 3CVE-2009-5016 – php: XSS and SQL injection bypass via crafted overlong UTF-8 encoded string
https://notcve.org/view.php?id=CVE-2009-5016
Integer overflow in the xml_utf8_decode function in ext/xml/xml.c in PHP before 5.2.11 makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string that uses overlong UTF-8 encoding, a different vulnerability than CVE-2010-3870. Desbordamiento de enteros en xml_utf8_decode function in ext/xml/xml.c in PHP anterior v5.2.11 hace fácil para atacantes remotos superar los mecanismos de protección de secuencia de comandos en sitios cruzados (XSS) e inyección SQL a través de cadenas manipuladas que usa una codificación UTF-8 demasiado larga, una vulnerabilidad diferente que CVE-2010-3870. • http://bugs.php.net/bug.php?id=49687 http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052836.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052845.html http://secunia.com/advisories/42410 http://secunia.com/advisories/42812 http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf http://www.redhat.com/support/errata/RHSA-20 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-189: Numeric Errors •
CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 7CVE-2010-3870 – PHP 5.3.2 - 'xml_utf8_decode()' UTF-8 Input Validation
https://notcve.org/view.php?id=CVE-2010-3870
The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string. La función utf8_decode en PHP anterior v5.3.4 no maneja adecuadamente la codificación UTF-8 corta y las secuencias malformadas en los datos UTF-8, lo que hace fácil para los atacantes remotos superar los mecanismos de protección en la secuencia de comandos en sitios cruzados (XSS) e inyección de SQL a través de cadenas manipuladas. • https://www.exploit-db.com/exploits/34950 http://bugs.php.net/bug.php?id=48230 http://bugs.php.net/bug.php?id=49687 http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052836.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052845.html http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html http://marc.info/?l=bugtraq&m=133469208622507&w=2 http:&# • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 30EXPL: 0CVE-2010-3294 – php-pecl-apc: potential XSS in apc.php
https://notcve.org/view.php?id=CVE-2010-3294
Cross-site scripting (XSS) vulnerability in apc.php in the Alternative PHP Cache (APC) extension before 3.1.4 for PHP allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en apc.php de la extensión "Alternative PHP Cache" (APC) en versiones anteriores a la v3.1.4 para PHP permite a usuarios remotos inyectar codigo de script web o código HTML de su elección a través de vectores de ataque sin especificar. • http://pecl.php.net/package-changelog.php?package=APC&release=3.1.4 http://rhn.redhat.com/errata/RHSA-2012-0811.html http://www.openwall.com/lists/oss-security/2010/09/14/1 http://www.openwall.com/lists/oss-security/2010/09/14/6 http://www.openwall.com/lists/oss-security/2010/09/14/8 http://www.vupen.com/english/advisories/2010/2406 https://access.redhat.com/security/cve/CVE-2010-3294 https://bugzilla.redhat.com/show_bug.cgi?id=634334 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 18EXPL: 0CVE-2010-2041
https://notcve.org/view.php?id=CVE-2010-2041
Multiple cross-site scripting (XSS) vulnerabilities in index.php in PHP-Calendar before 2.0 Beta7 allow remote attackers to inject arbitrary web script or HTML via the (1) description and (2) lastaction parameters. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en index.php de PHP-Calendar en versiones anteriores a la v2.0 Beta7. Permiten a atacantes remotos inyectar codigo de script web o código HTML de su elección a través de los parámetros (1) description y (2) lastaction. • http://packetstormsecurity.org/1005-advisories/phpcalendar-xss.txt http://php-calendar.blogspot.com/2010/05/php-calendar-20-beta7.html http://secunia.com/advisories/33899 http://www.securityfocus.com/archive/1/511395/100/0/threaded http://www.securityfocus.com/bid/40334 http://www.vupen.com/english/advisories/2010/1202 https://exchange.xforce.ibmcloud.com/vulnerabilities/58861 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •