Main Vulnerability Database SB2022070127

SB2022070127 - Input validation error in PHP

Published: July 1, 2022 Updated: June 8, 2025

Security Bulletin ID SB2022070127

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2004-0542)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

PHP before 4.3.7 on Win32 platforms does not properly filter all shell metacharacters, which allows local or remote attackers to execute arbitrary code, overwrite files, and access internal environment variables via (1) the "%", "|", or ">" characters to the escapeshellcmd function, or (2) the "%" character to the escapeshellarg function.

Remediation

Install update from vendor's website.

References

http://www.idefense.com/application/poi/display?id=108
http://www.php.net/release_4_3_7.php
https://exchange.xforce.ibmcloud.com/vulnerabilities/16331