CVE-2005-3388

Exp

Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a "stacked array assignment."

Published: 2005-11-01 Last update: 2026-04-16 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2005-3388 is rated High Exploit Risk (69.2/100): CVSS Medium severity, with high exploitation likelihood (EPSS 63.29%, 98th percentile). 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +2.50% over the last day, indicating growing attacker interest. Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2005-3388

EDB-ID Source Kind Published Link
26442 exploit_db edb 2005-10-31 Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2005-3388

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-05-11 60.79% 63.29% +2.50%
2 2026-03-02 63.29% 60.79% -2.50%
3 2025-12-28 63.29%

Full EPSS history (21 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2005-3388

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
4.3 2.0 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:N)
No availability impact.
 8.6 2.9 [email protected]

Weakness enumeration for CVE-2005-3388

OS Trackers for CVE-2005-3388

vendor priority summary link
gentoo normal CVE-2005-3388: 1 GLSA(s) (200511-08), 3 atom(s) (dev-php/mod_php, dev-php/php, dev-php/php-cgi); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2005-3388
redhat low https://access.redhat.com/security/cve/CVE-2005-3388
suse medium CVE-2005-3388 severity moderate: SUSE including 149 source package names (apache2-mod_php8-8.4.10-160000.2.2, php7-7.4.24-1.1, …), 149 product×package rows across 2 product lines (SUSE Linux Enterprise Server 16.0, openSUSE Tumbleweed): Fixed 149. https://www.suse.com/security/cve/CVE-2005-3388/
ubuntu medium CVE-2005-3388 medium priority: Ubuntu including 2 source packages (php4, php5), 8 status rows across 4 suites (dapper, edgy, feisty, upstream): released 5, needs-triage 2, DNE 1. https://ubuntu.com/security/CVE-2005-3388

Affected software / configurations for CVE-2005-3388

Vendor Product Version Raw CPE
php php 4.0.0 cpe:2.3:a:php:php:4.0.0:*:*:*:*:*:*:*
php php 4.0.1 cpe:2.3:a:php:php:4.0.1:*:*:*:*:*:*:*
php php 4.0.1 cpe:2.3:a:php:php:4.0.1:patch1:*:*:*:*:*:*
php php 4.0.1 cpe:2.3:a:php:php:4.0.1:patch2:*:*:*:*:*:*
php php 4.0.2 cpe:2.3:a:php:php:4.0.2:*:*:*:*:*:*:*
php php 4.0.3 cpe:2.3:a:php:php:4.0.3:*:*:*:*:*:*:*
php php 4.0.3 cpe:2.3:a:php:php:4.0.3:patch1:*:*:*:*:*:*
php php 4.0.4 cpe:2.3:a:php:php:4.0.4:*:*:*:*:*:*:*
php php 4.0.5 cpe:2.3:a:php:php:4.0.5:*:*:*:*:*:*:*
php php 4.0.6 cpe:2.3:a:php:php:4.0.6:*:*:*:*:*:*:*
php php 4.0.7 cpe:2.3:a:php:php:4.0.7:*:*:*:*:*:*:*
php php 4.0.7 cpe:2.3:a:php:php:4.0.7:rc1:*:*:*:*:*:*
php php 4.0.7 cpe:2.3:a:php:php:4.0.7:rc2:*:*:*:*:*:*
php php 4.0.7 cpe:2.3:a:php:php:4.0.7:rc3:*:*:*:*:*:*
php php 4.1.0 cpe:2.3:a:php:php:4.1.0:*:*:*:*:*:*:*
php php 4.1.1 cpe:2.3:a:php:php:4.1.1:*:*:*:*:*:*:*
php php 4.1.2 cpe:2.3:a:php:php:4.1.2:*:*:*:*:*:*:*
php php 4.2 cpe:2.3:a:php:php:4.2:*:dev:*:*:*:*:*
php php 4.2.0 cpe:2.3:a:php:php:4.2.0:*:*:*:*:*:*:*
php php 4.2.1 cpe:2.3:a:php:php:4.2.1:*:*:*:*:*:*:*
php php 4.2.2 cpe:2.3:a:php:php:4.2.2:*:*:*:*:*:*:*
php php 4.2.3 cpe:2.3:a:php:php:4.2.3:*:*:*:*:*:*:*
php php 4.3.0 cpe:2.3:a:php:php:4.3.0:*:*:*:*:*:*:*
php php 4.3.1 cpe:2.3:a:php:php:4.3.1:*:*:*:*:*:*:*
php php 4.3.2 cpe:2.3:a:php:php:4.3.2:*:*:*:*:*:*:*
php php 4.3.3 cpe:2.3:a:php:php:4.3.3:*:*:*:*:*:*:*
php php 4.3.4 cpe:2.3:a:php:php:4.3.4:*:*:*:*:*:*:*
php php 4.3.5 cpe:2.3:a:php:php:4.3.5:*:*:*:*:*:*:*
php php 4.3.6 cpe:2.3:a:php:php:4.3.6:*:*:*:*:*:*:*
php php 4.3.7 cpe:2.3:a:php:php:4.3.7:*:*:*:*:*:*:*
php php 4.3.8 cpe:2.3:a:php:php:4.3.8:*:*:*:*:*:*:*
php php 4.3.9 cpe:2.3:a:php:php:4.3.9:*:*:*:*:*:*:*
php php 4.3.10 cpe:2.3:a:php:php:4.3.10:*:*:*:*:*:*:*
php php 4.3.11 cpe:2.3:a:php:php:4.3.11:*:*:*:*:*:*:*
php php 4.4.0 cpe:2.3:a:php:php:4.4.0:*:*:*:*:*:*:*
php php 5.0.0 cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*
php php 5.0.0 cpe:2.3:a:php:php:5.0.0:beta1:*:*:*:*:*:*
php php 5.0.0 cpe:2.3:a:php:php:5.0.0:beta2:*:*:*:*:*:*
php php 5.0.0 cpe:2.3:a:php:php:5.0.0:beta3:*:*:*:*:*:*
php php 5.0.0 cpe:2.3:a:php:php:5.0.0:beta4:*:*:*:*:*:*
php php 5.0.0 cpe:2.3:a:php:php:5.0.0:rc1:*:*:*:*:*:*
php php 5.0.0 cpe:2.3:a:php:php:5.0.0:rc2:*:*:*:*:*:*
php php 5.0.0 cpe:2.3:a:php:php:5.0.0:rc3:*:*:*:*:*:*
php php 5.0.1 cpe:2.3:a:php:php:5.0.1:*:*:*:*:*:*:*
php php 5.0.2 cpe:2.3:a:php:php:5.0.2:*:*:*:*:*:*:*
php php 5.0.3 cpe:2.3:a:php:php:5.0.3:*:*:*:*:*:*:*
php php 5.0.4 cpe:2.3:a:php:php:5.0.4:*:*:*:*:*:*:*
php php 5.0.5 cpe:2.3:a:php:php:5.0.5:*:*:*:*:*:*:*

References for CVE-2005-3388

URL Tags
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00786522
http://rhn.redhat.com/errata/RHSA-2006-0549.html
http://secunia.com/advisories/17371 Patch Vendor Advisory
http://secunia.com/advisories/17490
http://secunia.com/advisories/17510
http://secunia.com/advisories/17531
http://secunia.com/advisories/17557
http://secunia.com/advisories/17559
http://secunia.com/advisories/18198
http://secunia.com/advisories/18669
http://secunia.com/advisories/21252
http://secunia.com/advisories/22691
http://securityreason.com/securityalert/133
http://securitytracker.com/id?1015130
http://support.avaya.com/elmodocs2/security/ASA-2006-037.htm
http://www.fedoralegacy.org/updates/FC2/2005-11-28-FLSA_2005_166943__Updated_php_packages_fix_security_issues.html
http://www.gentoo.org/security/en/glsa/glsa-200511-08.xml
http://www.hardened-php.net/advisory_182005.77.html Vendor Advisory
http://www.mandriva.com/security/advisories?name=MDKSA-2005:213
http://www.novell.com/linux/security/advisories/2005_27_sr.html
http://www.openpkg.org/security/OpenPKG-SA-2005.027-php.html
http://www.php.net/release_4_4_1.php Patch
http://www.redhat.com/support/errata/RHSA-2005-831.html
http://www.redhat.com/support/errata/RHSA-2005-838.html
http://www.securityfocus.com/archive/1/415292
http://www.securityfocus.com/bid/15248 Patch
http://www.turbolinux.com/security/2006/TLSA-2006-38.txt
http://www.vupen.com/english/advisories/2005/2254
http://www.vupen.com/english/advisories/2006/4320
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PIRZJHM6UDNWNHZ3PCMEZ2YUK3CWY2UE/
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10542
https://www.ubuntu.com/usn/usn-232-1/
cvelogic Threat Intelligence