← Back

CVE-2015-4598

nvd nist
Published: May 16, 2016Modified: May 6, 2026

JSON object

Loading...
6.5
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Exploitability: 3.9 / Impact: 2.5
Source: NVD

Description

PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may write to only .html files.

Affected (45)

Redhat
7 products
Enterprise Linux Desktop
Enterprise Linux Hpc Node
Enterprise Linux Hpc Node Eus
Enterprise Linux Server
Enterprise Linux Server Eus
Enterprise Linux Workstation
Enterprise Linux
Php
1 product
Php
Configuration A
6 vulnerable
Vulnerable SoftwareAffected Versions
Enterprise Linux Desktop
Version 7.0
Enterprise Linux Hpc Node
Version 7.0
Enterprise Linux Hpc Node Eus
Version 7.1
Enterprise Linux Server
Version 7.0
Enterprise Linux Server Eus
Version 7.1
Enterprise Linux Workstation
Version 7.0
Configuration B
37 vulnerable
Vulnerable SoftwareAffected Versions
Php
Php
Up to 5.4.41
Php
Version 5.5.0
Php
Version 5.5.10
Php
Version 5.5.11
Php
Version 5.5.12
Php
Version 5.5.13
Php
Version 5.5.14
Php
Version 5.5.15
Php
Version 5.5.16
Php
Version 5.5.17
Php
Version 5.5.18
Php
Version 5.5.19
Php
Version 5.5.1
Php
Version 5.5.20
Php
Version 5.5.21
Php
Version 5.5.22
Php
Version 5.5.23
Php
Version 5.5.24
Php
Version 5.5.25
Php
Version 5.5.2
Php
Version 5.5.3
Php
Version 5.5.4
Php
Version 5.5.5
Php
Version 5.5.6
Php
Version 5.5.7
Php
Version 5.5.8
Php
Version 5.5.9
Php
Version 5.6.0
Php
Version 5.6.1
Php
Version 5.6.2
Php
Version 5.6.3
Php
Version 5.6.4
Php
Version 5.6.5
Php
Version 5.6.6
Php
Version 5.6.7
Php
Version 5.6.8
Php
Version 5.6.9
Configuration C
2 vulnerable
Vulnerable SoftwareAffected Versions
Redhat
Enterprise Linux
Version 6.0
Enterprise Linux
Version 7.0

Related CWEs

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (24)

Source: secalert@redhat.com
Source: secalert@redhat.com
Source: secalert@redhat.com
Source: secalert@redhat.com
Source: secalert@redhat.com
Source: secalert@redhat.com
Source: secalert@redhat.com
Source: secalert@redhat.com
Source: secalert@redhat.com
Source: secalert@redhat.com
Source: secalert@redhat.com
Source: secalert@redhat.com
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.