Fluid Attacks Database

Description

The decode_entities function in util.c in HTML-Parser before 3.63 allows context-dependent attackers to cause a denial of service (infinite loop) via an incomplete SGML numeric character reference, which triggers generation of an invalid UTF-8 character.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	libhtml-parser-perl	>=0 <3.64-1	3.64-1
debian 11	libhtml-parser-perl	>=0 <3.64-1	3.64-1
debian 13	libhtml-parser-perl	>=0 <3.64-1	3.64-1
debian 14	libhtml-parser-perl	>=0 <3.64-1	3.64-1

Aliases

1. CVE-2009-36272. NVD-2009-36273. OSV-DEBIAN-2009-36274. OSV-2009-36275. SECURITY-TRACKER-CVE-2009-3627

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.