Description
PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension.
Remediation
References
Related Vulnerabilities
WordPress Plugin Elementor Website Builder Unspecified Vulnerability (3.0.15)
Oracle JRE CVE-2013-5774 Vulnerability (CVE-2013-5774)
Drupal Core 7.x Cross-Site Scripting (7.0 - 7.79)
MySQL CVE-2015-4791 Vulnerability (CVE-2015-4791)
PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-7890)