CVE-2021-21707
published 2021-11-29CVE-2021-21707: In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the…
PriorityP340medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
25.95%
97.7th percentile
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | php7.4 | < php7.4 7.4.28-1+deb11u1 (bullseye) | php7.4 7.4.28-1+deb11u1 (bullseye) |
| msrc | cbl2_php_on_cbl_mariner_2.0 | — | — |
| php | php | >= 7.3.0 < 7.3.33 | 7.3.33 |
| php | php | >= 7.4.0 < 7.4.26 | 7.4.26 |
| php | php | >= 8.0.0 < 8.0.13 | 8.0.13 |
| php_group | php | >= 7.3.x < 7.3.33 | 7.3.33 |
| php_group | php | >= 7.4.x < 7.4.26 | 7.4.26 |
| php_group | php | >= 8.0.X < 8.0.13 | 8.0.13 |
| tenable | tenable.sc | < 5.21.0 | 5.21.0 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv6.5MEDIUM
vendor_ubuntu6.5MEDIUM
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_oracle5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
php7.2, php7.4 vulnerabilities
osv·2022-03-03·CVSS 6.5
CVE-2015-9253 [MEDIUM] php7.2, php7.4 vulnerabilities
php7.2, php7.4 vulnerabilities
USN-5300-1 fixed vulnerabilities in PHP. This update provides the
corresponding updates for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that PHP incorrectly handled certain scripts.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2015-9253, CVE-2017-8923, CVE-2017-9118, CVE-2017-9120)
It was discovered that PHP incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a denial of service,
or possibly obtain sensitive information. (CVE-2017-9119)
It was discovered that PHP incorrectly handled certain scripts with XML
parsing functions.
An attacker could possibly use this issue to obtain sensitive information.
(CVE-2021-21707)
OSV
php7.0 vulnerabilities
osv·2022-02-22·CVSS 6.5
CVE-2015-9253 [MEDIUM] php7.0 vulnerabilities
php7.0 vulnerabilities
It was discovered that PHP incorrectly handled certain scripts.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2015-9253, CVE-2017-8923, CVE-2017-9118, CVE-2017-9120)
It was discovered that PHP incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a denial of service,
or possibly obtain sensitive information. (CVE-2017-9119)
It was discovered that PHP incorrectly handled certain scripts with XML
parsing functions.
An attacker could possibly use this issue to obtain sensitive information.
(CVE-2021-21707)
GHSA
GHSA-qh78-qfw9-93x9: In PHP versions 7
ghsa_unreviewed·2021-11-30
CVE-2021-21707 [MEDIUM] GHSA-qh78-qfw9-93x9: In PHP versions 7
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
OSV
CVE-2021-21707: In PHP versions 7
osv·2021-11-29·CVSS 5.3
CVE-2021-21707 [MEDIUM] CVE-2021-21707: In PHP versions 7
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
CISA ICS
Festo Didactic SE MES PC
cisa_ics·2026-01-27·CVSS 7.5
[HIGH] Festo Didactic SE MES PC
ICS Advisory
##
Festo Didactic SE MES PC
Release DateJanuary 27, 2026
Alert CodeICSA-26-027-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications. MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic's Factory Control Panel application.
The
Oracle
Oracle Oracle Communications Risk Matrix: Platform (PHP) — CVE-2021-21707
vendor_oracle·2022-10-15·CVSS 5.3
CVE-2021-21707 [MEDIUM] Oracle Oracle Communications Risk Matrix: Platform (PHP) — CVE-2021-21707
Oracle Oracle Communications Risk Matrix: Platform (PHP) vulnerability
CVE: CVE-2021-21707
CVSS: 5.3
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2022 (OCT 2022)
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2022-03-07·CVSS 6.5
CVE-2017-9118 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
USN-5300-1 fixed vulnerabilities in PHP. This update provides the
corresponding updates for Ubuntu 21.10.
Original advisory details:
It was discovered that PHP incorrectly handled certain scripts.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2015-9253, CVE-2017-8923, CVE-2017-9118, CVE-2017-9120)
It was discovered that PHP incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a denial of service,
or possibly obtain sensitive information. (CVE-2017-9119)
It was discovered that PHP incorrectly handled certain scripts with XML
parsing functions.
An attacker could possibly use this issue to obtain sensitive information.
(CVE-2021-21707)
Instruct
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2022-03-03·CVSS 6.5
CVE-2017-9118 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
USN-5300-1 fixed vulnerabilities in PHP. This update provides the
corresponding updates for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that PHP incorrectly handled certain scripts.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2015-9253, CVE-2017-8923, CVE-2017-9118, CVE-2017-9120)
It was discovered that PHP incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a denial of service,
or possibly obtain sensitive information. (CVE-2017-9119)
It was discovered that PHP incorrectly handled certain scripts with XML
parsing functions.
An attacker could possibly use this issue to obtain sensitive information.
(
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2022-02-22·CVSS 6.5
CVE-2017-8923 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that PHP incorrectly handled certain scripts.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2015-9253, CVE-2017-8923, CVE-2017-9118, CVE-2017-9120)
It was discovered that PHP incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a denial of service,
or possibly obtain sensitive information. (CVE-2017-9119)
It was discovered that PHP incorrectly handled certain scripts with XML
parsing functions.
An attacker could possibly use this issue to obtain sensitive information.
(CVE-2021-21707)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
php: Special character breaks path in xml parsing
vendor_redhat·2021-11-15·CVSS 5.3
CVE-2021-21707 [MEDIUM] CWE-20 php: Special character breaks path in xml parsing
php: Special character breaks path in xml parsing
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
A flaw was found in php. The main cause of this vulnerability is improper input validation while parsing an Extensible Markup Language(XML) entity. A special character could allow an attacker to traverse directories. The highest threat from this vulnerability is confidentiality.
Package: php (Red Hat Enterpr
Microsoft
Special characters break path parsing in XML functions
vendor_msrc·2021-11-09·CVSS 5.3
CVE-2021-21707 [MEDIUM] CWE-159 Special characters break path parsing in XML functions
Special characters break path parsing in XML functions
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
php: php
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.micr
Debian
CVE-2021-21707: php7.4 - In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, c...
vendor_debian·2021·CVSS 5.3
CVE-2021-21707 [MEDIUM] CVE-2021-21707: php7.4 - In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, c...
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
Scope: local
bullseye: resolved (fixed in 7.4.28-1+deb11u1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugs.php.net/bug.php?id=79971https://lists.debian.org/debian-lts-announce/2022/12/msg00030.htmlhttps://security.netapp.com/advisory/ntap-20211223-0005/https://www.debian.org/security/2022/dsa-5082https://www.tenable.com/security/tns-2022-09https://bugs.php.net/bug.php?id=79971https://lists.debian.org/debian-lts-announce/2022/12/msg00030.htmlhttps://security.netapp.com/advisory/ntap-20211223-0005/https://www.debian.org/security/2022/dsa-5082https://www.tenable.com/security/tns-2022-09
2021-11-29
Published