VDB
CVE-2007-3205
CVE-2007-3205
PUBLISHED
CVSS 5 MEDIUM
The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Suhosin.
EPSS 1.00% · 77.3th percentile
Risk Scores
CVSS v2.0
5
EPSS Score
1.00%
77.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| php | php | |
| hardened-php_project | subhosin | |
| hardened-php_project | hardened-php | |
| n/a | n/a | n/a |
Timeline
- Jun 13, 2007 CVE Published
- Feb 4, 2022 EPSS Score
- May 1, 2022 CVE Updated
- Mar 7, 2023 EPSS Score
- Mar 9, 2024 EPSS Score
- Apr 16, 2024 EPSS Score
- May 24, 2024 EPSS Score
- Mar 17, 2025 EPSS Score
- Mar 21, 2025 EPSS Score
- Mar 22, 2025 EPSS Score
- Mar 29, 2025 EPSS Score
- Mar 30, 2025 EPSS Score
References
- 39834 vdb
- 2800 third-party-advisory
- 20070612 Re: PHP parse_str() arbitrary variable overwrite mailing-list
- php-parsestr-code-execution(34836) vdb
- 20070613 Re: PHP parse_str() arbitrary variable overwrite mailing-list
- http://www.acid-root.new.fr/advisories/14070612.txt url
- 20070612 PHP parse_str() arbitrary variable overwrite mailing-list
- https://nvd.nist.gov/vuln/detail/CVE-2007-3205 advisory