CVE-2015-8935

Publication date 21 June 2016

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php7.0	16.04 LTS xenial	Not affected
	15.10 wily	Not in release
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not in release
php5	16.04 LTS xenial	Not in release
	15.10 wily	Not affected
	14.04 LTS trusty	Fixed 5.5.9+dfsg-1ubuntu4.19
	12.04 LTS precise	Fixed 5.3.10-1ubuntu3.24

Notes

mdeslaur

precise needs backported fix

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
php5	Upstream: http://git.php.net/?p=php-src.git;a=commit;h=996faf964bba1aec06b153b370a7f20d3dd2bb8b Upstream: http://git.php.net/?p=php-src.git;a=commit;h=9ba4db5e5d6aae8b1df934fbe26ea976b026576d

Severity score breakdown

Parameter	Value
Base score	6.1 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Changed
Confidentiality	Low
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N