Description

An issue was discovered in PHP 7.3.x before 7.3.1. An invalid multibyte string supplied as an argument to the mb_split() function in ext/mbstring/php_mbregex.c can cause PHP to execute memcpy() with a negative argument, which could read and write past buffers allocated for the data.

Remediation

References

CVE-2019-9025

Related Vulnerabilities

PHP Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2011-3379)

Open Resty Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2018-9230)

WordPress Plugin Portfolio-WordPress Portfolio Cross-Site Scripting (2.8.10)

WordPress Plugin Helpie FAQ-WordPress FAQ Accordion Security Bypass (0.7)

WordPress Plugin EventCommerce WP Event Calendar Cross-Site Scripting (1.0)

Severity

Critical

Classification

CVE-2019-9025 CWE-119 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities