Improper Neutralization of Argument Delimiters in a Command in PHP - CVE-2002-0985

 

Improper Neutralization of Argument Delimiters in a Command in PHP - CVE-2002-0985

Published: February 13, 2024 / Updated: June 8, 2025


Vulnerability identifier: #VU110539
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2002-0985
CWE-ID: CWE-88
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: PHP Group
Affected software:
PHP

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Argument injection vulnerability in the mail function for PHP 4.x to 4.2.2 may allow attackers to bypass safe mode restrictions and modify command line arguments to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing commands.


How to mitigate CVE-2002-0985

Install update from vendor's website.

Sources