Description
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
Remediation
References
Related Vulnerabilities
WordPress Plugin Essential Real Estate Cross-Site Scripting (1.7.0)
Oracle Database Server CVE-2009-1991 Vulnerability (CVE-2009-1991)
WordPress Plugin Images Slideshow by 2J-Image Slider Unspecified Vulnerability (1.2.15)
Joomla! Core 3.x.x Directory Traversal (3.0.0 - 3.9.24)
WordPress Plugin Style Kits-Advanced Theme Styles for Elementor Cross-Site Request Forgery (1.8.0)