VDB
CVE-2002-0986
CVE-2002-0986
PUBLISHED
CVSS 5 MEDIUM
The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a "spam proxy."
EPSS 20.41% · 95.7th percentile
Risk Scores
CVSS 2.0
5
EPSS Score
20.41%
95.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| php | php | 4.0.2, 4.2.1, 3.0.18 |
| n/a | n/a | n/a |
Exploit Intelligence
- 20030707 [OpenPKG-SA-2003.032] OpenPKG Security Advisory (php) (circl)
- DSA-168 (circl)
- VU#410609 (circl)
- 20020823 PHP: Bypass safe_mode and inject ASCII control chars with mail() (circl)
- RHSA-2002:243 (circl)
- 2160 (circl)
- RHSA-2003:159 (circl)
- MDKSA-2003:082 (circl)
- 5562 (circl)
- CSSA-2003-008.0 (circl)
…and 7 more exploits
Timeline
- Sep 24, 2002 CVE Published
- Feb 4, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 3, 2023 EPSS Score
- Jul 17, 2023 EPSS Score
- Sep 8, 2023 EPSS Score
- Dec 22, 2023 EPSS Score
- Feb 13, 2024 EPSS Score
References
- 20030707 [OpenPKG-SA-2003.032] OpenPKG Security Advisory (php) mailing-list
- DSA-168 vendor-advisory
- VU#410609 third-party-advisory
- 20020823 PHP: Bypass safe_mode and inject ASCII control chars with mail() mailing-list
- RHSA-2002:243 vendor-advisory
- 2160 vdb
- RHSA-2003:159 vendor-advisory
- MDKSA-2003:082 vendor-advisory
- 5562 vdb
- CSSA-2003-008.0 vendor-advisory
- php-mail-ascii-injection(9959) vdb
- SuSE-SA:2002:036 vendor-advisory
- CLA-2002:545 vendor-advisory
- RHSA-2002:213 vendor-advisory
- RHSA-2002:248 vendor-advisory
- RHSA-2002:244 vendor-advisory
- RHSA-2002:214 vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2002-0986 advisory