CVE-2007-0242

Description

The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.

4.3

CVSS

Severity: Medium

CVSS 2.0 •

EPSS 0.92% Top 30%

Vendor Advisory redhat.com Vendor Advisory mandriva.com Vendor Advisory mandriva.com Vendor Advisory novell.com Vendor Advisory debian.org Vendor Advisory redhat.com Vendor Advisory ubuntu.com Vendor Advisory sgi.com Vendor Advisory fedoranews.org Vendor Advisory redhat.com Vendor Advisory slackware.com Vendor Advisory mandriva.com

Affected: n/a n/a

References

Link	Tags
http://support.novell.com/techcenter/psdb/39ea4b325a7da742cb8b6995fa585b14.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/33397	vdb entry
http://secunia.com/advisories/24699	third party advisory
http://www.redhat.com/support/errata/RHSA-2007-0909.html	vendor advisory
http://www.mandriva.com/security/advisories?name=MDKSA-2007:074	vendor advisory
https://issues.rpath.com/browse/RPL-1202
http://www.mandriva.com/security/advisories?name=MDKSA-2007:076	vendor advisory
http://support.avaya.com/elmodocs2/security/ASA-2007-424.htm
http://secunia.com/advisories/24889	third party advisory
http://secunia.com/advisories/27275	third party advisory
http://secunia.com/advisories/24727	third party advisory
http://secunia.com/advisories/26857	third party advisory
http://www.trolltech.com/company/newsroom/announcements/press.2007-03-30.9172215350	patch
http://www.novell.com/linux/security/advisories/2007_6_sr.html	vendor advisory
http://www.nabble.com/Bug-417390:-CVE-2007-0242%2C--Qt-UTF-8-overlong-sequence-decoding-vulnerability-t3506065.html
http://www.debian.org/security/2007/dsa-1292	vendor advisory
http://secunia.com/advisories/24847	third party advisory
http://secunia.com/advisories/24705	third party advisory
http://rhn.redhat.com/errata/RHSA-2011-1324.html	vendor advisory
http://www.securityfocus.com/bid/23269	vdb entry
http://secunia.com/advisories/46117	third party advisory
http://secunia.com/advisories/27108	third party advisory
http://secunia.com/advisories/24759	third party advisory
http://www.ubuntu.com/usn/usn-452-1	vendor advisory
http://secunia.com/advisories/24726	third party advisory
ftp://patches.sgi.com/support/free/security/advisories/20070901-01-P.asc	vendor advisory
http://www.vupen.com/english/advisories/2007/1212	vdb entry
http://secunia.com/advisories/25263	third party advisory
http://secunia.com/advisories/26804	third party advisory
http://fedoranews.org/updates/FEDORA-2007-703.shtml	vendor advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11510	signature vdb entry
http://www.redhat.com/support/errata/RHSA-2007-0883.html	vendor advisory
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.348591	vendor advisory
http://www.mandriva.com/security/advisories?name=MDKSA-2007:075	vendor advisory
http://support.novell.com/techcenter/psdb/fc79b7f48d739f9c803a24ddad933384.html
http://secunia.com/advisories/24797	third party advisory

Frequently Asked Questions

What is the severity of CVE-2007-0242?: CVE-2007-0242 has been scored as a medium severity vulnerability.
How to fix CVE-2007-0242?: To fix CVE-2007-0242, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2007-0242 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2007-0242 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.