DEBIAN-CVE-2020-7070

Advisory lineage Upstream: 1 Downstream: 2

Upstream

CVE-2020-7070

Downstream

DLA-2397-1 DSA-4856-1

Published: 02 Oct 2020, 15:15

Last modified:28 Apr 2026, 20:21

Vulnerability Summary

Overall Risk (default)

low

21/100

CVSS Score

5.3 MEDIUM

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

02 Oct 2020, 15:15

Published

Vulnerability first disclosed

28 Apr 2026, 20:21

Last Modified

Vulnerability information updated

Description

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.

CVSS Metrics

v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected Systems

debian•php7.4
< 7.4.11-1

References (1)

https://security-tracker.debian.org/tracker/CVE-2020-7070