@now/php
CVE History
| CVE | Affected | Published | CVSS v3 | CVSS v2 |
|---|---|---|---|---|
| >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6 | 7.5 HIGH | — | ||
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application. | ||||
| >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6 | 9.1 CRITICAL | — | ||
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings. | ||||
| >= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6 | 7.5 HIGH | — | ||
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process. | ||||
| >= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6 | 7.5 HIGH | — | ||
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service. | ||||
| >= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6 | 9.8 CRITICAL | — | ||
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system. | ||||
| >= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6 | 6.5 MEDIUM | — | ||
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding(). | ||||
| >= 8.2.0, < 8.2.21, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6 | 7.5 HIGH | — | ||
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service. | ||||
| >= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6 | 6.1 MEDIUM | — | ||
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page. | ||||
| >= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6 | 9.8 CRITICAL | — | ||
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution. | ||||
| >= 8.2.0, < 8.2.31, >= 8.3.0, < 8.3.31, >= 8.4.0, < 8.4.21, >= 8.5.0, < 8.5.6 | 9.8 CRITICAL | — | ||
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements. | ||||
| >= 8.1.0, < 8.1.34, >= 8.2.0, < 8.2.30, >= 8.3.0, < 8.3.29, >= 8.4.0, < 8.4.16, >= 8.5.0, < 8.5.1 | 7.5 HIGH | — | ||
In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server. | ||||
| >= 8.1.0, < 8.1.34, >= 8.2.0, < 8.2.30, >= 8.3.0, < 8.3.29, >= 8.4.0, < 8.4.16, = 8.5.0 | 7.5 HIGH | — | ||
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server. | ||||
| >= 8.1.0, < 8.1.34, >= 8.2.0, < 8.2.30, >= 8.3.0, < 8.3.29, >= 8.4.0, < 8.4.16, >= 8.5.0, < 8.5.1 | 6.5 MEDIUM | — | ||
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server. | ||||
| >= 8.1.0, < 8.1.33, >= 8.2.0, < 8.2.29, >= 8.3.0, < 8.3.23, >= 8.4.0, < 8.4.10 | 3.7 LOW | — | ||
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions. | ||||
| >= 8.1.0, < 8.1.33, >= 8.2.0, < 8.2.29, >= 8.3.0, < 8.3.23, >= 8.4.0, < 8.4.10 | 5.9 MEDIUM | — | ||
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid. | ||||
| >= 8.1.0, < 8.1.33, >= 8.2.0, < 8.2.29, >= 8.3.0, < 8.3.23, >= 8.4.0, < 8.4.10 | 5.9 MEDIUM | — | ||
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server. | ||||
| >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.5 | 8.1 HIGH | — | ||
In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution. | ||||
| >= 8.1.0, < 8.1.32, >= 8.2.0, < 8.2.28, >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.5 | 5.3 MEDIUM | — | ||
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers. | ||||
| >= 8.1.0, < 8.1.32, >= 8.2.0, < 8.2.28, >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.5 | 7.3 HIGH | — | ||
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted. | ||||
| >= 8.3.0, < 8.3.14, >= 8.2.0, < 8.2.26, >= 8.1.0, < 8.1.31, >= 8.4.0, < 8.4.5 | 9.8 CRITICAL | — | ||
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location. | ||||
| >= 8.1.0, < 8.1.32, >= 8.2.0, < 8.2.28, >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.5 | 5.3 MEDIUM | — | ||
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations. | ||||
| >= 8.1.0, < 8.1.32, >= 8.2.0, < 8.2.28, >= 8.3.0, < 8.3.19, >= 8.4.0, < 8.4.5 | 3.1 LOW | — | ||
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc. | ||||
| >= 8.0.0, < 8.0.27, >= 8.1.0, < 8.1.15, >= 8.2.0, < 8.2.2 | 9.1 CRITICAL | — | ||
In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities. | ||||
| >= 8.3.0, < 8.3.14, >= 8.2.0, < 8.2.26, >= 8.1.0, < 8.1.31 | 4.8 MEDIUM | — | ||
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas. | ||||
| >= 8.3.0, < 8.3.14, >= 8.2.0, < 8.2.26, >= 8.1.0, < 8.1.31 | 9.8 CRITICAL | — | ||
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write. | ||||
| >= 8.3.0, < 8.3.14, >= 8.2.0, < 8.2.26, >= 8.1.0, < 8.1.31 | 4.8 MEDIUM | — | ||
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user. | ||||
| >= 8.3.0, < 8.3.14, >= 8.2.0, < 8.2.26, >= 8.1.0, < 8.1.31 | 5.8 MEDIUM | — | ||
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server. | ||||
| >= 8.3.0, < 8.3.14, >= 8.2.0, < 8.2.26, >= 8.1.0, < 8.1.31 | 9.8 CRITICAL | — | ||
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write. | ||||
| >= 8.1.0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.12 | 3.3 LOW | — | ||
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability. | ||||
| >= 8.1.0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.12 | 8.1 HIGH | — | ||
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. | ||||
| >= 8.1.0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.12 | 7.5 HIGH | — | ||
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP. | ||||
| >= 8.1.0, < 8.1.30, >= 8.2.0, < 8.2.24, >= 8.3.0, < 8.3.12 | 3.1 LOW | — | ||
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior. | ||||
| = *, >= 8.2.0, < 8.2.20, >= 8.3.0, < 8.3.8, >= 8.1.0, < 8.1.29 | 9.8 CRITICAL | — | ||
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. | ||||
| >= 8.2.0, < 8.2.20, >= 8.3.0, < 8.3.8, >= 8.1.0, < 8.1.29 | 5.9 MEDIUM | — | ||
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability. | ||||
| >= 8.2.0, < 8.2.20, >= 8.3.0, < 8.3.8, >= 8.1.0, < 8.1.29, >= 8.0.2, <= 8.0.30, >= 7.4.15, <= 7.4.33, >= 7.3.27, <= 7.3.33 | 5.3 MEDIUM | — | ||
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. | ||||
| >= 8.2.0, < 8.2.20, >= 8.3.0, < 8.3.8, >= 8.1.0, < 8.1.29 | 7.7 HIGH | — | ||
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. | ||||
| >= 8.3.0, < 8.3.5 | 7.5 HIGH | — | ||
In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function. | ||||
| >= 8.3.0, < 8.3.5, >= 8.1.0, < 8.1.28, >= 8.2.0, < 8.2.18 | 6.5 MEDIUM | — | ||
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true. | ||||
| >= 8.3.0, < 8.3.5, >= 8.1.0, < 8.1.28, >= 8.2.0, < 8.2.18 | 9.4 CRITICAL | — | ||
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. | ||||
| = *, < 8.1.28, >= 8.2.0, < 8.2.18, >= 8.3.0, < 8.3.6 | 9.8 CRITICAL | — | ||
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. | ||||
| < 8.0.0 | 6.8 MEDIUM | — | ||
php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue. | ||||
| < 8.0.22 | 6.2 MEDIUM | — | ||
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. | ||||
| = *, >= 8.1.0, < 8.1.22, >= 8.0.0, < 8.0.30, >= 8.2.0, < 8.2.9 | 9.4 CRITICAL | — | ||
In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. | ||||
| = *, >= 8.1.0, < 8.1.22, >= 8.0.0, < 8.0.30, >= 8.2.0, < 8.2.9 | 8.6 HIGH | — | ||
In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. | ||||
| >= 8.2.0, < 8.2.7, >= 8.1.0, < 8.1.20, >= 8.0.0, < 8.0.29 | 2.6 LOW | — | ||
In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. | ||||
| >= 8.2.0, < 8.2.3, >= 8.1.0, < 8.1.16, >= 8.0.0, < 8.0.28 | 7.7 HIGH | — | ||
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. | ||||
| >= 8.2.0, < 8.2.3, >= 8.1.0, < 8.1.16, >= 8.0.0, < 8.0.28 | 7.5 HIGH | — | ||
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space. | ||||
| >= 8.2.0, < 8.2.3, >= 8.1.0, < 8.1.16, >= 8.0.0, < 8.0.28 | 7.5 HIGH | — | ||
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification. | ||||
| = *, >= 8.0.0, < 8.0.25, >= 7.4.0, < 7.4.33, >= 8.1.0, < 8.1.12 | 6.5 MEDIUM | — | ||
In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information. | ||||
| >= 8.0.0, < 8.0.25, >= 8.1.0, < 8.1.12, >= 7.2.0, < 7.4.33 | 9.8 CRITICAL | — | ||
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface. | ||||
| >= 8.1.0, < 8.1.11, >= 8.0.0, < 8.0.24, < 7.4.31 | 6.5 MEDIUM | — | ||
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications. | ||||
| >= 8.1.0, < 8.1.11, >= 8.0.0, < 8.0.24, < 7.4.31 | 2.3 LOW | — | ||
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop. | ||||
| >= 8.1.0, < 8.1.8 | 7.7 HIGH | — | ||
In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption. | ||||
| >= 8.1.0, < 8.1.7, >= 8.0.0, < 8.0.20, >= 7.4.0, < 7.4.30 | 7.5 HIGH | 6 MEDIUM | ||
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability. | ||||
| >= 8.1.0, < 8.1.7, >= 8.0.0, < 8.0.20, >= 7.4.0, < 7.4.30 | 8.1 HIGH | 6.8 MEDIUM | ||
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service. | ||||
| >= 8.1.0, < 8.1.3, >= 8.0.0, < 8.0.16, >= 7.4.0, < 7.4.28 | 8.2 HIGH | 6.8 MEDIUM | ||
In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits. | ||||
| >= 8.0.0, < 8.0.13, >= 7.4.0, < 7.4.26, >= 7.3.0, < 7.3.33 | 5.3 MEDIUM | 5 MEDIUM | ||
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended. | ||||
| >= 7.3.0, <= 7.3.31, >= 7.4.0, < 7.4.25, >= 8.0.0, < 8.0.12 | 7.8 HIGH | 6.9 MEDIUM | ||
In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user. | ||||
| >= 7.3.0, < 7.3.31, >= 7.4.0, < 7.4.24, >= 8.0.0, < 8.0.11 | 5.3 MEDIUM | 4.3 MEDIUM | ||
In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions. | ||||
| >= 8.0.0, < 8.0.8, >= 7.4.0, < 7.4.21, >= 7.3.0, < 7.3.29 | 4.3 MEDIUM | 5 MEDIUM | ||
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision. | ||||
| >= 8.0.0, < 8.0.8, >= 7.4.0, < 7.4.21, >= 7.3.0, < 7.3.29 | 5 MEDIUM | 4.3 MEDIUM | ||
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption. | ||||
| = 5.0.0, = 7.0.0, = 8.0.0 | 6.1 MEDIUM | 4.3 MEDIUM | ||
XMB is vulnerable to cross-site scripting (XSS) due to inadequate filtering of BBCode input. This bug affects all versions of XMB. All XMB installations must be updated to versions 1.9.12.03 or 1.9.11.16. | ||||
| >= 7.3.0, < 7.3.27, >= 7.4.0, < 7.4.15, >= 8.0.0, < 8.0.2 | 5.3 MEDIUM | 5 MEDIUM | ||
In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash. | ||||
| >= 7.3.0, < 7.3.26, >= 7.4.0, < 7.4.14, >= 8.0.0, < 8.0.1 | 5.3 MEDIUM | 5 MEDIUM | ||
In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL. | ||||
| >= 7.4.0, < 7.4.11, >= 7.3.0, < 7.3.23, >= 7.2.0, < 7.2.34 | 4.3 MEDIUM | 5 MEDIUM | ||
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information. | ||||
| >= 7.4.0, < 7.4.11, >= 7.3.0, < 7.3.23, >= 7.2.0, < 7.2.34 | 5.4 MEDIUM | 6.4 MEDIUM | ||
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data. | ||||
| >= 7.4.0, < 7.4.9, >= 7.3.0, < 7.3.21, >= 7.2.0, < 7.2.33 | 4.8 MEDIUM | 3.3 LOW | ||
In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure. | ||||
| < 7.2.16 | 7.5 HIGH | 5 MEDIUM | ||
An issue was discovered in Chadha PHPKB 9.0 Enterprise Edition. installer/test-connection.php (part of the installation process) allows a remote unauthenticated attacker to disclose local files on hosts running PHP before 7.2.16, or on hosts where the MySQL ALLOW LOCAL DATA INFILE option is enabled. | ||||
| >= 7.4.0, < 7.4.6, >= 7.3.0, < 7.3.18, >= 7.2.0, < 7.2.31 | 5.3 MEDIUM | 5 MEDIUM | ||
In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server. | ||||
| >= 7.4.0, < 7.4.5, >= 7.3.0, < 7.3.17, >= 7.2.0, < 7.2.30 | 7.5 HIGH | 5 MEDIUM | ||
In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes. | ||||
| >= 7.3.0, < 7.3.16, >= 7.2.0, < 7.2.29, >= 7.4.0, < 7.4.4 | 5.3 MEDIUM | 4.3 MEDIUM | ||
In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server. | ||||
| >= 7.3.0, < 7.3.16, >= 7.4.0, < 7.4.4 | 7.4 HIGH | 6.8 MEDIUM | ||
In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution. | ||||
| >= 7.3.0, < 7.3.16, >= 7.2.0, < 7.2.29, >= 7.4.0, < 7.4.4 | 6.5 MEDIUM | 5.8 MEDIUM | ||
In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash. | ||||
| >= 7.2.0, <= 7.2.27, >= 7.3.0, <= 7.3.14, >= 7.4.0, <= 7.4.2 | 5.5 MEDIUM | 5 MEDIUM | ||
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted. | ||||
| >= 7.2.0, <= 7.2.27, >= 7.3.0, <= 7.3.14, >= 7.4.0, <= 7.4.2 | 7.5 HIGH | 4.3 MEDIUM | ||
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash. | ||||
| >= 7.2.0, <= 7.2.27, >= 7.3.0, <= 7.3.14, >= 7.4.0, <= 7.4.2 | 6.5 MEDIUM | 6.4 MEDIUM | ||
In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash. | ||||
| >= 5.6.0, < 5.6.1 | 9.8 CRITICAL | 6.8 MEDIUM | ||
Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value. | ||||
| >= 5.3.0, <= 5.3.10 | 7.5 HIGH | 7.8 HIGH | ||
regcomp in the BSD implementation of libc is vulnerable to denial of service due to stack exhaustion. | ||||
| >= 7.4.0, < 7.4.2, >= 7.2.0, < 7.2.27, >= 7.3.0, < 7.3.14 | 6.5 MEDIUM | 6.4 MEDIUM | ||
When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash. | ||||
| >= 7.4.0, < 7.4.2, >= 7.2.0, < 7.2.27, >= 7.3.0, < 7.3.14 | 6.5 MEDIUM | 6.4 MEDIUM | ||
When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash. | ||||
| < 5.4.24, >= 5.4.25, < 5.5.8 | 8.8 HIGH | 6.5 MEDIUM | ||
The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData parameter to index.php/api/v2_soap. | ||||
| >= 5.5.0, < 5.5.26, >= 5.4.0, < 5.4.41, >= 5.6.0, < 5.6.9 | 5.5 MEDIUM | 4.3 MEDIUM | ||
The pcre_compile2 function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code and cause a denial of service (out-of-bounds read) via regular expression with a group containing both a forward referencing subroutine call and a recursive back reference, as demonstrated by "((?+1)(\1))/". | ||||
| >= 5.5.0, < 5.5.26, >= 5.4.0, < 5.4.41, >= 5.6.0, < 5.6.9 | 7.8 HIGH | 6.8 MEDIUM | ||
The compile_branch function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code, cause a denial of service (out-of-bounds heap read and crash), or possibly have other unspecified impact via a regular expression with a group containing a forward reference repeated a large number of times within a repeated outer group that has a zero minimum quantifier. | ||||
| = 7.4.0, >= 7.2.0, < 7.2.26, >= 7.3.0, < 7.3.13 | 4.8 MEDIUM | 6.4 MEDIUM | ||
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. | ||||
| >= 7.3.0, <= 7.3.13, = 7.4.0 | 6.5 MEDIUM | 7.5 HIGH | ||
In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations. | ||||
| = 7.4.0, >= 7.3.0, <= 7.3.13, >= 7.2.0, <= 7.2.26 | 4.8 MEDIUM | 6.4 MEDIUM | ||
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. | ||||
| = 7.4.0, >= 7.3.0, <= 7.3.13, >= 7.2.0, <= 7.2.26 | 3.7 LOW | 4.3 MEDIUM | ||
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. | ||||
| = 7.4.0, >= 7.3.0, <= 7.3.13, >= 7.2.0, <= 7.2.26 | 3.7 LOW | 5 MEDIUM | ||
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations. | ||||
| = 7.4.0, >= 7.3.0, <= 7.3.13, >= 7.2.0, <= 7.2.26 | 3.7 LOW | 5 MEDIUM | ||
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. | ||||
| < 5.3.6 | 9.8 CRITICAL | 7.5 HIGH | ||
SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6. | ||||
| >= 7.3.0, < 7.3.10 | 7.5 HIGH | 5 MEDIUM | ||
Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c. | ||||
| >= 5.0.0, < 5.4.4 | 7.5 HIGH | 5 MEDIUM | ||
PHP5 before 5.4.4 allows passing invalid utf-8 strings via the xmlTextWriterWriteAttribute, which are then misparsed by libxml2. This results in memory leak into the resulting output. | ||||
| >= 7.1.0, < 7.1.33, >= 7.2.0, < 7.2.24, >= 7.3.0, < 7.3.11 | 8.7 HIGH | 7.5 HIGH | ||
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution. | ||||
| >= 7.1.0, < 7.1.31, >= 7.2.0, < 7.2.21, >= 7.3.0, < 7.3.8 | 7.1 HIGH | 5.8 MEDIUM | ||
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. | ||||
| >= 7.1.0, < 7.1.31, >= 7.2.0, < 7.2.21, >= 7.3.0, < 7.3.8 | 7.1 HIGH | 5.8 MEDIUM | ||
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. | ||||
| >= 7.0.0, < 7.0.16 | — | 5 MEDIUM | ||
main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input. | ||||
| >= 7.3.0, < 7.3.9, >= 7.2.0, < 7.2.23, >= 7.1.0, < 7.1.32 | 9.8 CRITICAL | 7.5 HIGH | ||
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust. | ||||
| >= 7.3.0, < 7.3.6, >= 7.1.0, < 7.1.30, >= 7.2.0, < 7.2.19 | 9.1 CRITICAL | 6.4 MEDIUM | ||
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. | ||||
| >= 7.3.0, < 7.3.6, >= 7.1.0, < 7.1.30, >= 7.2.0, < 7.2.19 | 9.1 CRITICAL | 6.4 MEDIUM | ||
Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash. | ||||
| >= 7.3.0, < 7.3.6, >= 7.1.0, < 7.1.30, >= 7.2.0, < 7.2.19 | 5.3 MEDIUM | 5 MEDIUM | ||
When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code. | ||||
| >= 7.3.0, < 7.3.5, >= 7.2.0, < 7.2.18, >= 7.1.0, < 7.1.29 | 9.1 CRITICAL | 6.4 MEDIUM | ||
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and 7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash. | ||||
| >= 7.3.0, < 7.3.4, >= 7.2.9, < 7.2.17, >= 7.1.0, < 7.1.28 | 9.1 CRITICAL | 6.4 MEDIUM | ||
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash. | ||||
| >= 7.3.0, < 7.3.4, >= 7.2.9, < 7.2.17, >= 7.1.0, < 7.1.28 | 9.1 CRITICAL | 6.4 MEDIUM | ||
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash. | ||||
| >= 7.3.0, < 7.3.3, >= 7.0.0, < 7.1.27 | — | 6.8 MEDIUM | ||
An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phar_tar_writeheaders_int in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor indicates that the link value is used only when an archive contains a symlink, which currently cannot happen: "This issue allows theoretical compromise of security, but a practical attack is usually impossible. | ||||
| < 7.1.27, >= 7.2.0, < 7.2.16, >= 7.3.0, < 7.3.3 | — | 5 MEDIUM | ||
An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data. | ||||
| < 7.1.27, >= 7.2.0, < 7.2.16, >= 7.3.0, < 7.3.3 | 9.8 CRITICAL | 7.5 HIGH | ||
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF. | ||||
| >= 7.2.0, < 7.2.16, >= 7.3.0, < 7.3.3, >= 7.1.0, < 7.1.27 | 7.5 HIGH | 5 MEDIUM | ||
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn. | ||||
| < 7.1.27, >= 7.2.0, < 7.2.16, >= 7.3.0, < 7.3.3 | 7.5 HIGH | 5 MEDIUM | ||
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable. | ||||
| < 7.1.27, >= 7.2.0, < 7.2.16, >= 7.3.0, < 7.3.3 | 7.5 HIGH | 5 MEDIUM | ||
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note->offset relationship to value_len. | ||||
| >= 7.3.0, < 7.3.1 | — | 7.5 HIGH | ||
An issue was discovered in PHP 7.3.x before 7.3.1. An invalid multibyte string supplied as an argument to the mb_split() function in ext/mbstring/php_mbregex.c can cause PHP to execute memcpy() with a negative argument, which could read and write past buffers allocated for the data. | ||||
| >= 7.2.0, < 7.2.14, >= 7.0.0, < 7.1.26, < 5.6.40, >= 7.3.0, < 7.3.1 | — | 5 MEDIUM | ||
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c. | ||||
| >= 7.2.0, < 7.2.14, >= 7.0.0, < 7.1.26, < 5.6.40, >= 7.3.0, < 7.3.1 | — | 7.5 HIGH | ||
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences. | ||||
| >= 7.2.0, < 7.2.14, >= 7.0.0, < 7.1.26, >= 7.3.0, < 7.3.2 | — | 5 MEDIUM | ||
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parserr in ext/standard/dns.c for DNS_CAA and DNS_ANY queries. | ||||
| >= 7.2.0, < 7.2.14, >= 7.0.0, < 7.1.26, < 5.6.40, >= 7.3.0, < 7.3.1 | — | 7.5 HIGH | ||
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file name, a different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c. | ||||
| >= 7.2.0, < 7.2.14, >= 7.0.0, < 7.1.26, < 5.6.40, >= 7.3.0, < 7.3.1 | — | 7.5 HIGH | ||
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c. | ||||
| < 5.6.39, >= 7.0.0, < 7.0.33, >= 7.1.0, < 7.1.25, >= 7.2.0, < 7.2.13 | — | 5 MEDIUM | ||
In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse a .phar file. This is related to phar_parse_pharfile in ext/phar/phar.c. | ||||
| = 7.3.0, >= 7.2.0, < 7.2.14, >= 7.0.0, < 7.1.26, < 5.6.40 | — | 6.8 MEDIUM | ||
gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data. | ||||
| >= 7.2.0, < 7.2.14, >= 7.0.0, < 7.0.33, >= 7.1.0, < 7.1.26, >= 5.6.0, < 5.6.39 | 7.5 HIGH | 5 MEDIUM | ||
ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function. | ||||
| >= 5.0.0, <= 5.6.38 | — | 6.5 MEDIUM | ||
An issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controller/themecontroller.php uses a check_bad function in an attempt to block certain PHP functions such as eval, but does not prevent use of preg_replace 'e' calls, allowing users to execute arbitrary code by leveraging access to admin template management. | ||||
| >= 5.6.0, <= 5.6.38, >= 7.2.0, <= 7.2.12, >= 7.1.0, <= 7.1.24, >= 7.0.0, <= 7.0.32 | 7.5 HIGH | 8.5 HIGH | ||
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument. | ||||
| >= 5.0.0, <= 7.1.24 | — | 5 MEDIUM | ||
ext/standard/var_unserializer.c in PHP 5.x through 7.1.24 allows attackers to cause a denial of service (application crash) via an unserialize call for the com, dotnet, or variant class. | ||||
| >= 5.0.0, <= 7.1.24 | — | 5 MEDIUM | ||
ext/standard/var.c in PHP 5.x through 7.1.24 on Windows allows attackers to cause a denial of service (NULL pointer dereference and application crash) because com and com_safearray_proxy return NULL in com_properties_get in ext/com_dotnet/com_handlers.c, as demonstrated by a serialize call on COM("WScript.Shell"). | ||||