CVE-2021-21707
Special characters break path parsing in XML functionsIn PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
We have discovered 1,044,385 live websites that are affected by CVE-2021-21707.
Contact us to get more info
Affected Software
| |
---|
Product | PHP |
Category | Programming Languages |
Vulnerable Versions | - from 7.3 before 7.3.33
- from 7.4 before 7.4.26
- from 8 before 8.0.13
|
Total Vulnerable Versions | 507 |
Vulnerable Domains | 1,044,385 live websites (8.63% of PHP install base) |
Common Weakness Enumeration
CWE-159 Improper Handling of Invalid Use of Special Elements
Distribution by Website Rank
The diagram provides a graphic representation of the correlation between the occurrence of CVE-2021-21707 and the relative popularity of websites