In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: php
Published: 2021-11-29T06:25:08.814960Z
Updated: 2024-09-17T03:38:22.394Z
Reserved: 2021-01-04T00:00:00
Link: CVE-2021-21707
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-11-29T07:15:06.397
Modified: 2024-11-21T05:48:52.593
Link: CVE-2021-21707
Redhat