CVE-2019-9020
published 2019-02-22CVE-2019-9020: An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can…
PriorityP350critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
10.06%
95.0th percentile
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| opensuse | leap | — | — |
| php | php | < 5.6.40 | 5.6.40 |
| php | php | >= 7.0.0 < 7.1.26 | 7.1.26 |
| php | php | >= 7.2.0 < 7.2.14 | 7.2.14 |
| php | php | >= 7.3.0 < 7.3.1 | 7.3.1 |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.27 | 5.5.9+dfsg-1ubuntu4.27 |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-48fv-2rrr-rrph: An issue was discovered in PHP before 5
ghsa_unreviewed·2022-05-14
CVE-2019-9020 [CRITICAL] CWE-125 GHSA-48fv-2rrr-rrph: An issue was discovered in PHP before 5
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.
OSV
php5, php7.0 vulnerabilities
osv·2019-03-06·CVSS 9.8
CVE-2019-9020 [CRITICAL] php5, php7.0 vulnerabilities
php5, php7.0 vulnerabilities
It was discovered that the PHP XML-RPC module incorrectly handled decoding
XML data. A remote attacker could possibly use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2019-9020, CVE-2019-9024)
It was discovered that the PHP PHAR module incorrectly handled certain
filenames. A remote attacker could possibly use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2019-9021)
It was discovered that PHP incorrectly parsed certain DNS responses. A
remote attacker could possibly use this issue to cause PHP to crash,
resulting in a denial of service. This issue only affected Ubuntu 16.04
LTS. (CVE-2019-9022)
It was discovered that PHP incorrectly handled mbstring regular
expressions. A remote attacker could possibly
OSV
CVE-2019-9020: An issue was discovered in PHP before 5
osv·2019-02-22·CVSS 9.8
CVE-2019-9020 [CRITICAL] CVE-2019-9020: An issue was discovered in PHP before 5
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.
CISA ICS
Festo Didactic SE MES PC
cisa_ics·2026-01-27·CVSS 7.5
[HIGH] Festo Didactic SE MES PC
ICS Advisory
##
Festo Didactic SE MES PC
Release DateJanuary 27, 2026
Alert CodeICSA-26-027-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications. MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic's Factory Control Panel application.
The
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2019-03-12·CVSS 9.8
CVE-2019-9020 [CRITICAL] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
USN-3902-1 fixed a vulnerability in PHP. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that the PHP XML-RPC module incorrectly handled decoding
XML data. A remote attacker could possibly use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2019-9020, CVE-2019-9024)
It was discovered that the PHP PHAR module incorrectly handled certain
filenames. A remote attacker could possibly use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2019-9021)
It was discovered that PHP incorrectly handled mbstring regular
expressions. A remote attacker could possibly use this issue to cause PHP
to crash, resulti
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2019-03-06·CVSS 9.8
CVE-2019-9020 [CRITICAL] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that the PHP XML-RPC module incorrectly handled decoding
XML data. A remote attacker could possibly use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2019-9020, CVE-2019-9024)
It was discovered that the PHP PHAR module incorrectly handled certain
filenames. A remote attacker could possibly use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2019-9021)
It was discovered that PHP incorrectly parsed certain DNS responses. A
remote attacker could possibly use this issue to cause PHP to crash,
resulting in a denial of service. This issue only affected Ubuntu 16.04
LTS. (CVE-2019-9022)
It was discovered that PHP incorrectly handled mbstring reg
Red Hat
php: Invalid memory access in function xmlrpc_decode()
vendor_redhat·2018-12-05·CVSS 9.8
CVE-2019-9020 [CRITICAL] CWE-119 php: Invalid memory access in function xmlrpc_decode()
php: Invalid memory access in function xmlrpc_decode()
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.
Package: php (Red Hat Enterprise Linux 5) - Out of support scope
Package: php (Red Hat Enterprise Linux 6) - Out of support scope
Package: php (Red Hat Enterprise Linux 7) - Will not fix
Package: rh-php70-php (Red Hat Software Collections) - Will not fix
No detection rules found.
No public exploits indexed.
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.htmlhttp://www.securityfocus.com/bid/107156https://access.redhat.com/errata/RHSA-2019:2519https://access.redhat.com/errata/RHSA-2019:3299https://bugs.php.net/bug.php?id=77242https://bugs.php.net/bug.php?id=77249https://security.netapp.com/advisory/ntap-20190321-0001/https://usn.ubuntu.com/3902-1/https://usn.ubuntu.com/3902-2/https://www.debian.org/security/2019/dsa-4398http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.htmlhttp://www.securityfocus.com/bid/107156https://access.redhat.com/errata/RHSA-2019:2519https://access.redhat.com/errata/RHSA-2019:3299https://bugs.php.net/bug.php?id=77242https://bugs.php.net/bug.php?id=77249https://security.netapp.com/advisory/ntap-20190321-0001/https://usn.ubuntu.com/3902-1/https://usn.ubuntu.com/3902-2/https://www.debian.org/security/2019/dsa-4398
2019-02-22
Published