CVE-2020-7071
published 2021-02-15CVE-2020-7071: In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will…
PriorityP431medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
2.98%
85.6th percentile
In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | php7.4 | < php7.4 7.4.14-1 (bullseye) | php7.4 7.4.14-1 (bullseye) |
| msrc | cbl2_php_7.4.14-3_on_cbl_mariner_2.0 | — | — |
| php | php | >= 7.3.0 < 7.3.26 | 7.3.26 |
| php | php | >= 7.4.0 < 7.4.14 | 7.4.14 |
| php | php | >= 8.0.0 < 8.0.1 | 8.0.1 |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.29+esm14 | 5.5.9+dfsg-1ubuntu4.29+esm14 |
| php_group | php | >= 7.3.x < 7.3.26 | 7.3.26 |
| php_group | php | >= 7.4.x < 7.4.14 | 7.4.14 |
| php_group | php | >= 8.0.X < 8.0.1 | 8.0.1 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_redhat5.3MEDIUM
vendor_ubuntu4.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-grxx-qh3p-vx7g: In PHP versions 7
ghsa_unreviewed·2022-05-24
CVE-2020-7071 [MEDIUM] CWE-20 GHSA-grxx-qh3p-vx7g: In PHP versions 7
In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.
OSV
php5, php7.0 vulnerabilities
osv·2021-07-13·CVSS 3.6
CVE-2020-7068 [LOW] php5, php7.0 vulnerabilities
php5, php7.0 vulnerabilities
USN-5006-1 fixed several vulnerabilities in PHP. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that PHP incorrectly handled certain PHAR files. A remote
attacker could possibly use this issue to cause PHP to crash, resulting in
a denial of service, or possibly obtain sensitive information. (CVE-2020-7068)
It was discovered that PHP incorrectly handled parsing URLs with passwords.
A remote attacker could possibly use this issue to cause PHP to mis-parse
the URL and produce wrong data. (CVE-2020-7071)
It was discovered that PHP incorrectly handled certain malformed XML data
when being parsed by the SOAP extension. A remote attacker could possibly
use this issue to cause P
OSV
php7.2, php7.4 vulnerabilities
osv·2021-07-07·CVSS 3.6
CVE-2020-7068 [LOW] php7.2, php7.4 vulnerabilities
php7.2, php7.4 vulnerabilities
It was discovered that PHP incorrectly handled certain PHAR files. A remote
attacker could possibly use this issue to cause PHP to crash, resulting in
a denial of service, or possibly obtain sensitive information. This issue
only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-7068)
It was discovered that PHP incorrectly handled parsing URLs with passwords.
A remote attacker could possibly use this issue to cause PHP to mis-parse
the URL and produce wrong data. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, and Ubuntu 20.10. (CVE-2020-7071)
It was discovered that PHP incorrectly handled certain malformed XML data
when being parsed by the SOAP extension. A remote attacker could possibly
use this issue to cause PHP to crash, resulting
OSV
CVE-2020-7071: In PHP versions 7
osv·2021-02-15·CVSS 5.3
CVE-2020-7071 [MEDIUM] CVE-2020-7071: In PHP versions 7
In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.
CISA ICS
Festo Didactic SE MES PC
cisa_ics·2026-01-27·CVSS 7.5
[HIGH] Festo Didactic SE MES PC
ICS Advisory
##
Festo Didactic SE MES PC
Release DateJanuary 27, 2026
Alert CodeICSA-26-027-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications. MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic's Factory Control Panel application.
The
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2021-07-13·CVSS 4.8
CVE-2021-21702 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
USN-5006-1 fixed several vulnerabilities in PHP. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that PHP incorrectly handled certain PHAR files. A remote
attacker could possibly use this issue to cause PHP to crash, resulting in
a denial of service, or possibly obtain sensitive information. (CVE-2020-7068)
It was discovered that PHP incorrectly handled parsing URLs with passwords.
A remote attacker could possibly use this issue to cause PHP to mis-parse
the URL and produce wrong data. (CVE-2020-7071)
It was discovered that PHP incorrectly handled certain malformed XML data
when being parsed by the SOAP extension. A remot
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2021-07-07·CVSS 4.8
CVE-2020-7071 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that PHP incorrectly handled certain PHAR files. A remote
attacker could possibly use this issue to cause PHP to crash, resulting in
a denial of service, or possibly obtain sensitive information. This issue
only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-7068)
It was discovered that PHP incorrectly handled parsing URLs with passwords.
A remote attacker could possibly use this issue to cause PHP to mis-parse
the URL and produce wrong data. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, and Ubuntu 20.10. (CVE-2020-7071)
It was discovered that PHP incorrectly handled certain malformed XML data
when being parsed by the SOAP extension. A remote attacker could possibl
Microsoft
FILTER_VALIDATE_URL accepts URLs with invalid userinfo
vendor_msrc·2021-02-09·CVSS 5.3
CVE-2020-7071 [MEDIUM] CWE-20 FILTER_VALIDATE_URL accepts URLs with invalid userinfo
FILTER_VALIDATE_URL accepts URLs with invalid userinfo
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
php: php
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.micr
Red Hat
php: FILTER_VALIDATE_URL accepts URLs with invalid userinfo
vendor_redhat·2021-01-03·CVSS 5.3
CVE-2020-7071 [MEDIUM] CWE-20 php: FILTER_VALIDATE_URL accepts URLs with invalid userinfo
php: FILTER_VALIDATE_URL accepts URLs with invalid userinfo
In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.
Package: php (Red Hat Enterprise Linux 6) - Out of support scope
Package: php (Red Hat Enterprise Linux 7) - Will not fix
Package: php:7.2/php (Red Hat Enterprise Linux 8) - Will not fix
Package: php:7.3/php (Red Hat Enterprise Linux 8) - Will not fix
Package: php (Red Hat Enterprise Linux 9) - Not affected
Debian
CVE-2020-7071: php7.4 - In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validatin...
vendor_debian·2020·CVSS 5.3
CVE-2020-7071 [MEDIUM] CVE-2020-7071: php7.4 - In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validatin...
In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.
Scope: local
bullseye: resolved (fixed in 7.4.14-1)
Suricata
ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2006-7071 [HIGH] ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP DELETE
ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP DELETE"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; classtype:web-application-attack; sid:2004800; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitr
Suricata
ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2006-7071 [HIGH] ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP INSERT
ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP INSERT"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; classtype:web-application-attack; sid:2004799; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitr
Suricata
ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2006-7071 [HIGH] ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP ASCII
ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP ASCII"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; classtype:web-application-attack; sid:2004801; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitr
Suricata
ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2006-7071 [HIGH] ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE
ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; classtype:web-application-attack; sid:2004802; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre
Suricata
ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2006-7071 [HIGH] ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP SELECT
ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP SELECT"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; classtype:web-application-attack; sid:2004797; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitr
No public exploits indexed.
No writeups or analysis indexed.
https://bugs.php.net/bug.php?id=77423https://lists.debian.org/debian-lts-announce/2021/07/msg00008.htmlhttps://security.gentoo.org/glsa/202105-23https://security.netapp.com/advisory/ntap-20210312-0005/https://www.debian.org/security/2021/dsa-4856https://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://www.tenable.com/security/tns-2021-14https://bugs.php.net/bug.php?id=77423https://lists.debian.org/debian-lts-announce/2021/07/msg00008.htmlhttps://security.gentoo.org/glsa/202105-23https://security.netapp.com/advisory/ntap-20210312-0005/https://www.debian.org/security/2021/dsa-4856https://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://www.tenable.com/security/tns-2021-14
2021-02-15
Published