PHP DirectoryIterator class accepts filenames with embedded null byte and treats them as terminating at that byte
|Affected PHP Versions|
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP's
DirectoryIterator class accepts filenames with embedded null bytes (
\u0000) and treats them as terminating at that byte. This can lead to security vulnerabilities when applications check paths that the code is allowed to access.
Filter paths and filenames before providing them to the
preg_replace('/\\0/', "", $var);
When possible, update to PHP 7.2.26 or later, PH 7.3.13 or later, or 7.4.1 or later.