Description
Stefan Esser reported some vulnerabilities in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application. Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected. For a detailed explanation of the vulnerability read the referenced article.
Vendor has released PHP 5.2.0 which fixes this issue.
Affected PHP versions (up to 4.4.4/5.1.6).
Remediation
Upgrade PHP to the latest version.
References
Related Vulnerabilities
Joomla! Core 3.x.x Cross-Site Scripting (3.0.0 - 3.8.3)
WordPress Plugin Multi Rating Multiple Vulnerabilities (5.0.5)
SugarCRM Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-17305)
WordPress Plugin WP Visitor Statistics (Real Time Traffic) Security Bypass (5.4)
WordPress Plugin WooCommerce Instamojo Cross-Site Scripting (0.0.6)