In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: php

Published: 2021-11-29T06:25:08.814960Z

Updated: 2024-09-17T03:38:22.394Z

Reserved: 2021-01-04T00:00:00

Link: CVE-2021-21707

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-11-29T07:15:06.397

Modified: 2024-11-21T05:48:52.593

Link: CVE-2021-21707

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-11-15T00:00:00Z

Links: CVE-2021-21707 - Bugzilla