CVE-2008-5814

Publication date 2 January 2009

Last updated 24 July 2024

Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: because of the lack of details, it is unclear whether this is related to CVE-2006-0208.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
php4	9.10 karmic	Not in release
	9.04 jaunty	Not in release
	8.10 intrepid	Not in release
	8.04 LTS hardy	Not in release
	7.10 gutsy	Not in release
	6.06 LTS dapper	Ignored end of life
php5	9.10 karmic	Not affected
	9.04 jaunty	Fixed 5.2.6.dfsg.1-3ubuntu4.1
	8.10 intrepid	Fixed 5.2.6-2ubuntu4.2
	8.04 LTS hardy	Fixed 5.2.4-2ubuntu5.6
	7.10 gutsy	Ignored end of life, was needed
	6.06 LTS dapper	Fixed 5.1.2-1ubuntu3.14

Notes

jdstrand

verified 5.2.10.dfsg.1-1ubuntu1 in 9.10 is not affected by looking at the source package

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
php5	Upstream: http://viewcvs.php.net/viewvc.cgi/php-src/ext/standard/head.c?r1=1.84.2.1.2.8&r2=1.84.2.1.2.9&pathrev=PHP_5_2

References

Related Ubuntu Security Notices (USN)

USN-761-1
PHP vulnerabilities
20 April 2009

USN-761-2
PHP vulnerabilities
27 April 2009

Other references

https://www.cve.org/CVERecord?id=CVE-2008-5814