Vulnerability Details : CVE-2010-3870
The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string.
Vulnerability category: Sql InjectionCross site scripting (XSS)Input validation
Threat overview for CVE-2010-3870
Top countries where our scanners detected CVE-2010-3870
Top open port discovered on systems with this issue
80
IPs affected by CVE-2010-3870 65,155
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2010-3870!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2010-3870
Probability of exploitation activity in the next 30 days: 0.45%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 72 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-3870
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2010-3870
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-3870
-
http://www.redhat.com/support/errata/RHSA-2010-0919.html
SupportThird Party Advisory
-
http://marc.info/?l=bugtraq&m=133469208622507&w=2
'[security bulletin] HPSBOV02763 SSRT100826 rev.1 - HP Secure Web Server (SWS) for OpenVMS running PH' - MARCMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:023Mailing List;Third Party Advisory
-
http://support.apple.com/kb/HT4581
About the security content of Mac OS X v10.6.7 and Security Update 2011-001 - Apple SupportThird Party Advisory
-
http://www.vupen.com/english/advisories/2011/0021
Webmail | OVH- OVHThird Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052836.html
[SECURITY] Fedora 13 Update: maniadrive-1.2-23.fc13Mailing List;Third Party Advisory
-
http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:224
mandriva.comThird Party Advisory
-
http://www.acunetix.com/blog/web-security-articles/security-risks-associated-with-utf8_decode/
Security risks associated with utf8_decode and XSS filters | AcunetixExploit;Third Party Advisory
-
http://www.securityfocus.com/bid/44605
PHP 'xml_utf8_decode()' UTF-8 Input Validation VulnerabilityThird Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2010/11/02/11
oss-security - Re: utf-8 security issue in phpMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2010/11/02/1
oss-security - utf-8 security issue in phpMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2010/11/02/6
oss-security - Re: utf-8 security issue in phpMailing List;Third Party Advisory
-
http://bugs.php.net/bug.php?id=49687
PHP :: Sec Bug #49687 :: utf8_decode xml_utf8_decode vulnExploit;Vendor Advisory
-
http://us2.php.net/manual/en/function.utf8-decode.php#83935
PHP: utf8_decode - ManualExploit;Vendor Advisory
-
http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html
Apple - Lists.apple.comMailing List;Third Party Advisory
-
http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html
sirdarckcat: A couple of unicode issues on PHP and FirefoxExploit;Third Party Advisory
-
http://bugs.php.net/bug.php?id=48230
PHP :: Bug #48230 :: xml_utf8_decode incorrectly decodeExploit;Vendor Advisory
-
http://svn.php.net/viewvc?view=revision&revision=304959
PHP: Revision 304959Patch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2010/11/02/2
oss-security - Re: utf-8 security issue in phpMailing List;Third Party Advisory
-
http://www.vupen.com/english/advisories/2010/3081
Webmail | OVH- OVHThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2010/11/02/8
oss-security - Re: utf-8 security issue in phpMailing List;Third Party Advisory
-
http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf
Exploit;Third Party Advisory
-
http://www.redhat.com/support/errata/RHSA-2011-0195.html
SupportThird Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052845.html
[SECURITY] Fedora 14 Update: maniadrive-1.2-23.fc14Mailing List;Third Party Advisory
-
http://www.securitytracker.com/id?1024797
PHP Validation Flaw in utf8_decode() Permits Cross-Site Scripting Attacks and Lets Remote Users Inject SQL Commands - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2010/11/02/4
oss-security - Re: utf-8 security issue in phpMailing List;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-1042-1
USN-1042-1: PHP vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.php.net/ChangeLog-5.php
PHP: PHP 5 ChangeLogVendor Advisory
-
http://www.openwall.com/lists/oss-security/2010/11/03/1
oss-security - Re: utf-8 security issue in phpMailing List;Third Party Advisory
-
http://www.vupen.com/english/advisories/2011/0020
Webmail | OVH- OVHThird Party Advisory
-
http://www.vupen.com/english/advisories/2011/0077
Webmail | OVH- OVHThird Party Advisory
Products affected by CVE-2010-3870
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:9.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*