CVE - CVE-2009-4142

CVE-ID
CVE-2009-4142	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The htmlspecialchars function in PHP before 5.2.12 does not properly handle (1) overlong UTF-8 sequences, (2) invalid Shift_JIS sequences, and (3) invalid EUC-JP sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks by placing a crafted byte sequence before a special character.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:1023372 URL:http://securitytracker.com/id?1023372 MISC:37389 URL:http://www.securityfocus.com/bid/37389 MISC:37821 URL:http://secunia.com/advisories/37821 MISC:38648 URL:http://secunia.com/advisories/38648 MISC:40262 URL:http://secunia.com/advisories/40262 MISC:ADV-2009-3593 URL:~~http://www.vupen.com/english/advisories/2009/3593~~ (Obsolete source) MISC:APPLE-SA-2010-03-29-1 URL:http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html MISC:DSA-2001 URL:http://www.debian.org/security/2010/dsa-2001 MISC:HPSBUX02543 URL:http://marc.info/?l=bugtraq&m=127680701405735&w=2 MISC:SSRT100152 URL:http://marc.info/?l=bugtraq&m=127680701405735&w=2 MISC:http://bugs.php.net/bug.php?id=49785 URL:http://bugs.php.net/bug.php?id=49785 MISC:http://support.apple.com/kb/HT4077 URL:http://support.apple.com/kb/HT4077 MISC:http://www.php.net/ChangeLog-5.php URL:http://www.php.net/ChangeLog-5.php MISC:http://www.php.net/releases/5_2_12.php URL:http://www.php.net/releases/5_2_12.php MISC:oval:org.mitre.oval:def:10005 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10005 MISC:oval:org.mitre.oval:def:7085 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7085
Assigning CNA
Red Hat, Inc.
Date Record Created
20091201	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20091201)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)