Strix
26.1K

CVE-2004-0595

UnknownEPSS 45.16%

Last modified

CVE-2004-0595 is a vulnerability of currently unknown severity. The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities.. EPSS estimates a 45.16% chance of exploitation in the next 30 days.

Description

The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities.

Metrics

EPSS Probability
45.16%

98.6th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersionsUpdate
AvayaConverged Communications Server2.0
RedhatFedora Corecore_1.0
RedhatFedora Corecore_2.0
TrustixSecure Linux1.5
TrustixSecure Linux2.0
TrustixSecure Linux2.1
AvayaIntegrated ManagementAll versions
PhpPhp4.0
PhpPhp4.0.1
PhpPhp4.0.2
PhpPhp4.0.3
PhpPhp4.0.4
PhpPhp4.0.5
PhpPhp4.0.6
PhpPhp4.0.7
PhpPhp4.1.0
PhpPhp4.1.1
PhpPhp4.1.2
PhpPhp4.2.0
PhpPhp4.2.1
PhpPhp4.2.2
PhpPhp4.2.3
PhpPhp4.3.0
PhpPhp4.3.1
PhpPhp4.3.2
PhpPhp4.3.3
PhpPhp4.3.5
PhpPhp4.3.6
PhpPhp4.3.7
PhpPhp5.0Rc1
AvayaS8300r2.0.0
AvayaS8300r2.0.1
AvayaS8500r2.0.0
AvayaS8500r2.0.1
AvayaS8700r2.0.0
AvayaS8700r2.0.1

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2004-0595?
The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities.
How severe is CVE-2004-0595?
Severity scoring for CVE-2004-0595 is pending analysis. The EPSS model estimates a 45.16% probability of exploitation in the next 30 days.
How do I fix CVE-2004-0595?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2004-0595?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST