Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2004-0595

7 documents6 sources

Severity

6.8MEDIUM

EPSS

49.3%

top 2.21%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Avaya Converged Communications Server Avaya S8300 Avaya S8500 +4 more

Timeline

PublishedJul 27

Latest updateApr 29

Description

The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages7 packages

▶NVDphp/php23 versions+22

▶NVDavaya/s8300r2.0.0, r2.0.1+1

▶NVDavaya/s8500r2.0.0, r2.0.1+1

▶NVDavaya/s8700r2.0.0, r2.0.1+1

▶NVDredhat/fedora_corecore_1.0, core_2.0+1

Patches

Patch: www.debian.org ↗Patch: www.securityfocus.com ↗Patch: www.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-h8wj-59vf-r37g: The strip_tags function in PHP 4↗2022-04-29

▶

CVEList

CVE-2004-0595: The strip_tags function in PHP 4↗2004-07-16

▶

💥Exploits & PoCs

Exploit-DB

PHP 4.x/5.0 - 'Strip_Tags()' Function Bypass↗2004-07-14

▶

📋Vendor Advisories

Red Hat

security flaw↗2004-07-14

▶

💬Community

Bugzilla

CVE-2004-0595 security flaw↗2018-08-16

▶

Bugzilla

CVE-2004-0595 PHP flaws (CVE-2004-0594 CVE-2004-1018 CVE-2004-1019)↗2005-10-25

▶