Description

** DISPUTED ** The Zend Engine in PHP before 5.4.16 RC1, and 5.5.0 before RC2, does not properly determine whether a parser error occurred, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted function definition, as demonstrated by an attack within a shared web-hosting environment. NOTE: the vendor's http://php.net/security-note.php page says "for critical security situations you should be using OS-level security by running multiple web servers each as their own user id."

Remediation

References

CVE-2013-3735

Related Vulnerabilities

WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-3439)

Atlassian Jira Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-26083)

MySQL CVE-2016-0665 Vulnerability (CVE-2016-0665)

Rukovoditel Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-44949)

WordPress Improper Input Validation Vulnerability (CVE-2019-20041)

Severity

Medium

Classification

CVE-2013-3735 CWE-20

Tags

Missing Update Known Vulnerabilities