cbcvebase.
CVE-2014-5120
published 2014-08-23

CVE-2014-5120: gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote…

PriorityP347medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EPSS
16.93%
96.7th percentile
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.

Affected

50 ranges· showing 25
VendorProductVersion rangeFixed in
appleos_x_yosemite_v10.10.3_and_security_update_2015-004
debianlibgd2
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp

CVSS provenance

nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vendor_debian6.4LOW
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.