Buffer overflow in PHP cgi program, php.cgi allows shell access.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 2.0b10 |
| php | php | 1.0 |
CGI PHP mylog script allows an attacker to read any file on the target server.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 2.0 |
| php | php | 2.0b10 |
| php | php | 1.0 |
php.cgi allows attackers to read any file on the system.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 2.0 |
| php | php | 2.0b10 |
| php | php | 1.0 |
CGI PHP mlog script allows an attacker to read any file on the target server.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php_fi | * |
PHP3 with safe_mode enabled does not properly filter shell metacharacters from commands that are executed by popen, which could allow remote attackers to execute commands.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 3.0.5 |
| php | php | 3.0.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 3.0.13 |
| php | php | 3.0.10 |
| php | php | 3.0.12 |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 3.0.8 |
| php | php | 3.0.4 |
| php | php | 3.0.11 |
| php | php | 3.0 |
| php | php | 3.0.1 |
The file upload capability in PHP versions 3 and 4 allows remote attackers to read arbitrary files by setting hidden form fields whose names match the names of internal PHP script variables.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 2.0b10 |
| php | php | 3.0.6 |
| php | php | 3.0.3 |
| php | php | 1.0 |
| php | php | 3.0.7 |
| php | php | 3.0.13 |
| php | php | 3.0.10 |
| php | php | 3.0.12 |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 3.0.8 |
| php | php | 2.0 |
| php | php | 3.0.4 |
| php | php | 3.0.11 |
| php | php | 3.0 |
| php | php | 3.0.1 |
PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that are improperly written to the error logs.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0 |
| php | php | 3.0 |
PHP Apache module 4.0.4 and earlier allows remote attackers to bypass .htaccess access restrictions via a malformed HTTP request on an unrestricted page that causes PHP to use those access controls on the next page that is requested.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0 |
| php | php | 4.0.3 |
| mandrakesoft | mandrake_linux | 7.2 |
| php | php | 4.0.4 |
| php | php | 4.0.1 |
PHP 4.0.5 through 4.1.0 in safe mode does not properly cleanse the 5th parameter to the mail() function, which allows local users and possibly remote attackers to execute arbitrary commands via shell metacharacters.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-88,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
PHP 4.0.4pl1 and 4.0.5 in safe mode allows remote attackers to read and write files owned by the web server UID by uploading a PHP script that uses the error_log function to access the files.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 4.0.4pl1 |
The Apache module for PHP 4.0.0 through PHP 4.0.4, when disabled with the 'engine = off' option for a virtual host, may disable PHP for other virtual hosts, which could cause Apache to serve the source code of PHP scripts.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0 |
| php | php | 4.0.3 |
| mandrakesoft | mandrake_linux | 7.2 |
| php | php | 4.0.4 |
| php | php | 4.0.1 |
Buffer overflows in (1) php_mime_split in PHP 4.1.0, 4.1.1, and 4.0.6 and earlier, and (2) php3_mime_split in PHP 3.0.x allows remote attackers to execute arbitrary code via a multipart/form-data HTTP POST request when file_uploads is enabled.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.1.1 |
| php | php | 4.1.0 |
| php | php | 4.0.6 |
| php | php | 3.0 |
PHP 4.0 through 4.1.1 stores session IDs in temporary files whose name contains the session ID, which allows local users to hijack web connections.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 4.1.0 |
| php | php | 4.0.4 |
| php | php | 4.0.6 |
| php | php | 4.1.2 |
Safe Mode feature (safe_mode) in PHP 3.0 through 4.1.0 allows attackers with access to the MySQL database to bypass Safe Mode access restrictions and read arbitrary files using "LOAD DATA INFILE LOCAL" SQL statements.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 3.0.13 |
| php | php | 3.0.10 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 3.0.8 |
| php | php | 4.0.3 |
| php | php | 4.1.0 |
| php | php | 4.0.4 |
| php | php | 4.0.1 |
| php | php | 3.0.4 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 3.0 |
| php | php | 3.0.1 |
PHP, when not configured with the "display_errors = Off" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive to fail, and produces an error message that contains the path.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0 |
| php | php | 4.0.5 |
| php | php | 4.0.3 |
| php | php | 4.1.0 |
| php | php | 4.0.4 |
| php | php | 4.0.1 |
| php | php | 4.0.6 |
| php | php | 4.1.2 |
move_uploaded_file in PHP does not does not check for the base directory (open_basedir), which could allow remote attackers to upload files to unintended locations on the system.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 3.0.6 |
| php | php | 3.0.13 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 4.1.0 |
| php | php | 4.0.2 |
| php | php | 4.0.1 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 3.0.3 |
| php | php | 3.0.14 |
| php | php | 3.0.7 |
| php | php | 3.0.10 |
| php | php | 4.0.7 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 4.0.3 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 3.0.1 |
PHP 4.2.0 and 4.2.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP POST request with certain arguments in a multipart/form-data form, which generates an error condition that is not properly handled and causes improper memory to be freed.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.2.0 |
| php | php | 4.2.1 |
Argument injection vulnerability in the mail function for PHP 4.x to 4.2.2 may allow attackers to bypass safe mode restrictions and modify command line arguments to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing commands.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-88,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| openpkg | openpkg | 1.2 |
| openpkg | openpkg | 1.1 |
The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a "spam proxy."
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0 |
| php | php | 4.0.5 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 4.2.0 |
| php | php | 4.0.7 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.1.0 |
| php | php | 4.0.2 |
| php | php | 4.0.4 |
| php | php | 4.0.1 |
| php | php | 4.0.6 |
Heap-based buffer overflow in the wordwrap function in PHP after 4.1.2 and before 4.3.0 may allow attackers to cause a denial of service or execute arbitrary code.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.2.0 |
| php | php | 4.2.1 |
| php | php | 4.1.2 |
| php | php | 4.2.3 |
| php | php | 4.2.2 |
CRLF injection vulnerability in PHP 4.2.1 through 4.2.3, when allow_url_fopen is enabled, allows remote attackers to modify HTTP headers for outgoing requests by causing CRLF sequences to be injected into arguments that are passed to the (1) fopen or (2) file functions.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.2.0 |
| php | php | 3.0.14 |
| php | php | 4.0.7 |
| php | php | 4.1.2 |
| php | php | 3.0.15 |
| php | php | 4.2.2 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.1.0 |
| php | php | 4.0.4 |
| php | php | 4.0.6 |
| php | php | 4.2.3 |
Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.2.3 allows remote attackers to inject arbitrary web script or HTML via the query string argument, as demonstrated using soinfo.php.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.2.3 |
phpSquidPass before 0.2 uses an incomplete regular expression to find a matching username in its database, which allows remote authenticated attackers to effectively delete other usernames via a short username that matches the end of the targeted username.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | phpsquidpass | * |
The php_if_imap_mime_header_decode function in the IMAP functionality in PHP before 4.2.2 allows remote attackers to cause a denial of service (crash) via an e-mail header with a long "To" header.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.2.0 |
| php | php | 4.2.1 |
| php | php | 4.2 |
The imap_header function in the IMAP functionality for PHP before 4.3.0 allows remote attackers to cause a denial of service via an e-mail message with a large number of "To" addresses, which triggers an error in the rfc822_write_address function.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 3.0.6 |
| php | php | 3.0.13 |
| php | php | 3.0.12 |
| php | php | 4.2 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 4.1.0 |
| php | php | 4.0.2 |
| php | php | 4.0.1 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 3.0.3 |
| php | php | 3.0.14 |
| php | php | 3.0.7 |
| php | php | 3.0.10 |
| php | php | 4.0.7 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 3.0.1 |
php.exe in PHP 3.0 through 4.2.2, when running on Apache, does not terminate properly, which allows remote attackers to cause a denial of service via a direct request without arguments.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 3.0.6 |
| php | php | 3.0.13 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 4.1.0 |
| php | php | 4.0.2 |
| php | php | 4.0.1 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 3.0.3 |
| php | php | 3.0.14 |
| php | php | 3.0.7 |
| php | php | 3.0.10 |
| php | php | 4.0.7 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 3.0.1 |
Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to access arbitrary files as the PHP user, and possibly execute PHP code, by bypassing the CGI force redirect settings (cgi.force_redirect or --enable-force-cgi-redirect).
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.0 |
Integer signedness error in emalloc() function for PHP before 4.3.2 allow remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via negative arguments to functions such as (1) socket_recv, (2) socket_recvfrom, and possibly other functions.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0 |
| php | php | 4.0.5 |
| php | php | 4.1.1 |
| php | php | 4.2.0 |
| php | php | 4.0.7 |
| php | php | 4.1.2 |
| php | php | 4.3.0 |
| php | php | 4.2.2 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.1.0 |
| php | php | 4.3.1 |
| php | php | 4.0.2 |
| php | php | 4.0.4 |
| php | php | 4.0.1 |
| php | php | 4.0.6 |
| php | php | 4.2.3 |
Buffer overflow in openlog function for PHP 4.3.1 on Windows operating system, and possibly other OSes, allows remote attackers to cause a crash and possibly execute arbitrary code via a long filename argument.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.1 |
PHP treats unknown methods such as "PoSt" as a GET request, which could allow attackers to intended access restrictions if PHP is running on a server that passes on all methods, such as Apache httpd 2.0, as demonstrated using a Limit directive. NOTE: this issue has been disputed by the Apache security team, saying "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.4.6 |
Cross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| redhat | linux | 9.0 |
| redhat | linux | 8.0 |
Buffer overflows in PHP before 4.3.3 have unknown impact and unknown attack vectors.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0 |
| php | php | 4.0.5 |
| php | php | 4.1.1 |
| php | php | 4.2.0 |
| php | php | 4.3.2 |
| php | php | 4.0.7 |
| php | php | 4.2 |
| php | php | 4.1.2 |
| php | php | 4.3.0 |
| php | php | 4.2.2 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.1.0 |
| php | php | 4.3.1 |
| php | php | 4.0.2 |
| php | php | 4.0.4 |
| php | php | 4.0.1 |
| php | php | 4.0.6 |
| php | php | 4.2.3 |
Integer overflows in (1) base64_encode and (2) the GD library for PHP before 4.3.3 have unknown impact and unknown attack vectors.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0 |
| php | php | 4.0.5 |
| php | php | 4.1.1 |
| php | php | 4.2.0 |
| php | php | 4.3.2 |
| php | php | 4.0.7 |
| php | php | 4.2 |
| php | php | 4.1.2 |
| php | php | 4.3.0 |
| php | php | 4.2.2 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.1.0 |
| php | php | 4.3.1 |
| php | php | 4.0.2 |
| php | php | 4.0.4 |
| php | php | 4.0.1 |
| php | php | 4.0.6 |
| php | php | 4.2.3 |
The php_check_safe_mode_include_dir function in fopen_wrappers.c of PHP 4.3.x returns a success value (0) when the safe_mode_include_dir variable is not specified in configuration, which differs from the previous failure value and may allow remote attackers to exploit file include vulnerabilities in PHP applications.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.2 |
| php | php | 4.3.1 |
| php | php | 4.3.0 |
The IMAP functionality in PHP before 4.3.1 allows remote attackers to cause a denial of service via an e-mail message with a (1) To or (2) From header with an address that contains a large number of "\" (backslash) characters.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.2.0 |
| php | php | 4.2.1 |
| php | php | 4.2 |
| php | php | 4.2.3 |
| php | php | 4.3.0 |
| php | php | 4.2.2 |
Buffer overflow in the imap_fetch_overview function in the IMAP functionality (php_imap.c) in PHP before 4.3.3 allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a long e-mail address in a (1) To or (2) From header.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.2 |
| php | php | 4.3.1 |
| php | php | 4.3.0 |
PHP before 4.3.7 on Win32 platforms does not properly filter all shell metacharacters, which allows local or remote attackers to execute arbitrary code, overwrite files, and access internal environment variables via (1) the "%", "|", or ">" characters to the escapeshellcmd function, or (2) the "%" character to the escapeshellarg function.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-367,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| trustix | secure_linux | 2.0 |
| debian | debian_linux | 3.0 |
| php | php | 5.0.0 |
| trustix | secure_linux | 2.1 |
| hp | hp-ux | b.11.11 |
| hp | hp-ux | b.11.00 |
| openpkg | openpkg | 2.1 |
| hp | hp-ux | b.11.23 |
| php | php | * |
| trustix | secure_linux | 1.5 |
| hp | hp-ux | b.11.22 |
| openpkg | openpkg | 2.0 |
| avaya | converged_communications_server | 2.0 |
The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| trustix | secure_linux | 2.0 |
| php | php | 4.0.5 |
| php | php | 4.1.1 |
| avaya | s8700 | r2.0.1 |
| trustix | secure_linux | 2.1 |
| php | php | 4.3.5 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| redhat | fedora_core | core_2.0 |
| trustix | secure_linux | 1.5 |
| avaya | s8300 | r2.0.1 |
| php | php | 4.1.0 |
| avaya | s8700 | r2.0.0 |
| php | php | 4.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 4.3.2 |
| avaya | integrated_management | * |
| php | php | 4.3.3 |
| php | php | 4.0.7 |
| php | php | 5.0 |
| php | php | 4.3.0 |
| avaya | s8500 | r2.0.0 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| avaya | s8300 | r2.0.0 |
| php | php | 4.3.1 |
| redhat | fedora_core | core_1.0 |
| php | php | 4.0.4 |
| avaya | s8500 | r2.0.1 |
| php | php | 4.0.6 |
| avaya | converged_communications_server | 2.0 |
php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
rfc1867.c in PHP before 5.0.2 allows local users to upload files to arbitrary locations via a PHP script with a certain MIME header that causes the "$_FILES" array to be modified.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
Multiple integer handling errors in PHP before 4.3.10 allow attackers to bypass safe mode restrictions, cause a denial of service, or execute arbitrary code via (1) a negative offset value to the shmop_write function, (2) an "integer overflow/underflow" in the pack function, or (3) an "integer overflow/underflow" in the unpack function. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 4.10 |
The deserialization code in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to cause a denial of service and execute arbitrary code via untrusted data to the unserialize function that may trigger "information disclosure, double-free and negative reference index array underflow" results.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| trustix | secure_linux | 2.0 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| openpkg | openpkg | 2.1 |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 4.0.2 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| openpkg | openpkg | 2.2 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| openpkg | openpkg | current |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| trustix | secure_linux | 2.1 |
| php | php | 3.0.13 |
| php | php | 4.2 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| ubuntu | ubuntu_linux | 4.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| trustix | secure_linux | 2.2 |
| php | php | 4.0.7 |
| php | php | 5.0 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
The addslashes function in PHP 4.3.9 does not properly escape a NULL (/0) character, which may allow remote attackers to read arbitrary files in PHP applications that contain a directory traversal vulnerability in require or include statements, but are otherwise protected by the magic_quotes_gpc mechanism. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.0.0 |
| php | php | 4.3.6 |
| php | php | 5.0.2 |
| php | php | 4.3.7 |
| php | php | 5.0.1 |
| php | php | 4.3.9 |
| php | php | 5.0 |
| php | php | 4.3.8 |
PHP 4.x to 4.3.9, and PHP 5.x to 5.0.2, when running in safe mode on a multithreaded Unix webserver, allows local users to bypass safe_mode_exec_dir restrictions and execute commands outside of the intended safe_mode_exec_dir via shell metacharacters in the current directory name. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 4.10 |
The safe mode checks in PHP 4.x to 4.3.9 and PHP 5.x to 5.0.2 truncate the file path before passing the data to the realpath function, which could allow attackers to bypass safe mode. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 4.10 |
Buffer overflow in the exif_read_data function in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to execute arbitrary code via a long section name in an image file.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| trustix | secure_linux | 2.0 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| openpkg | openpkg | 2.1 |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 4.0.2 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| openpkg | openpkg | 2.2 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| openpkg | openpkg | current |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| trustix | secure_linux | 2.1 |
| php | php | 3.0.13 |
| php | php | 4.2 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| ubuntu | ubuntu_linux | 4.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| trustix | secure_linux | 2.2 |
| php | php | 4.0.7 |
| php | php | 5.0 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
PHP 4.0 with cURL functions allows remote attackers to bypass the open_basedir setting and read arbitrary files via a file: URL argument to the curl_init function.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0 |
| php | php | 4.0.5 |
| php | php | 4.0.3 |
| php | php | 4.0.2 |
| php | php | 4.0.4 |
| php | php | 4.0.1 |
| php | php | 4.0.6 |
| php | php | 4.0.7 |
The php_handle_iff function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a -8 size value.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.0.3 |
| php | php | 4.3.10 |
| php | php | 4.3.9 |
| php | php | 4.2.2 |
The php_next_marker function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a JPEG image with an invalid marker value, which causes a negative length value to be passed to php_stream_seek.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.0.3 |
| php | php | 4.3.10 |
| php | php | 4.3.9 |
| php | php | 4.2.2 |
PHP 4 (PHP4) allows attackers to cause a denial of service (daemon crash) by using the readfile function on a file whose size is a multiple of the page size.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0 |
Integer overflow in the exif_process_IFD_TAG function in exif.c in PHP before 4.3.11 may allow remote attackers to execute arbitrary code via an IFD tag that leads to a negative byte count.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.6 |
| php | php | 4.3.2 |
| php | php | 4.3.4 |
| php | php | 4.3.5 |
| php | php | 4.3.1 |
| php | php | 4.3.3 |
| php | php | 4.3.7 |
| php | php | 4.3.10 |
| php | php | 4.3.9 |
| php | php | 4.3.0 |
| php | php | 4.3.8 |
exif.c in PHP before 4.3.11 allows remote attackers to cause a denial of service (memory consumption and crash) via an EXIF header with a large IFD nesting level, which causes significant stack recursion.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| suse | suse_linux | 6.4 |
| apple | mac_os_x | 10.4 |
| php | php | 4.3.4 |
| php | php | 4.3.5 |
| suse | suse_linux | 3.0 |
| suse | suse_linux | 4.4 |
| apple | mac_os_x | 10.3.9 |
| suse | suse_linux | 6.1 |
| suse | suse_linux | 9.3 |
| suse | suse_linux | 9.2 |
| suse | suse_linux | 8.2 |
| suse | suse_linux | 8.0 |
| php | php | 4.3.2 |
| suse | suse_linux | 7.2 |
| suse | suse_linux | 4.0 |
| php | php | 4.3.3 |
| apple | mac_os_x_server | 10.3.9 |
| suse | suse_linux | 6.3 |
| suse | suse_linux | 5.0 |
| suse | suse_linux | 5.2 |
| peachtree | peachtree_linux | release_1 |
| php | php | 4.3.9 |
| suse | suse_linux | 8.1 |
| suse | suse_linux | 9.1 |
| suse | suse_linux | 6.2 |
| suse | suse_linux | 5.1 |
| suse | suse_linux | 6.0 |
| suse | suse_linux | 4.2 |
| php | php | 4.3.7 |
| suse | suse_linux | 7.0 |
| suse | suse_linux | 4.4.1 |
| php | php | 4.3.6 |
| suse | suse_linux | 2.0 |
| conectiva | linux | 9.0 |
| conectiva | linux | 10.0 |
| suse | suse_linux | 4.3 |
| php | php | 4.3.10 |
| apple | mac_os_x_server | 10.4 |
| suse | suse_linux | 1.0 |
| php | php | 4.3.0 |
| apple | mac_os_x_server | 10.4.1 |
| apple | mac_os_x | 10.4.1 |
| php | php | 4.3.1 |
| suse | suse_linux | 7.3 |
| suse | suse_linux | 5.3 |
| sgi | propack | 3.0 |
| suse | suse_linux | 9.0 |
| php | php | 4.3.8 |
| suse | suse_linux | 7.1 |
Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 3.1 |
| gggeek | phpxmlrpc | * |
| drupal | drupal | * |
| php | xml_rpc | * |
| tiki | tikiwiki_cms/groupware | * |
fopen_wrappers.c in PHP 4.4.0, and possibly other versions, does not properly restrict access to other directories when the open_basedir directive includes a trailing slash, which allows PHP scripts in one directory to access files in other directories whose names are substrings of the original directory.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.4.0 |
The apache2handler SAPI (sapi_apache2.c) in the Apache module (mod_php) for PHP 5.x before 5.1.0 final and 4.4 before 4.4.1 final allows attackers to cause a denial of service (segmentation fault) via the session.save_path option in a .htaccess file or VirtualHost.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 4.3.4 |
| php | php | 4.3.5 |
| php | php | 4.2 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 4.3.2 |
| php | php | 4.3.3 |
| php | php | 4.3.10 |
| php | php | 5.0.1 |
| php | php | 4.0.7 |
| php | php | 5.0 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 4.3.1 |
| php | php | 4.0.4 |
| php | php | 4.0.6 |
| php | php | 4.3.9 |
| php | php | 4.3.8 |
The exif_read_data function in the Exif module in PHP before 4.4.1 allows remote attackers to cause a denial of service (infinite loop) via a malformed JPEG image.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 4.1.1 |
| php | php | 4.3.4 |
| php | php | 4.3.5 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 4.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 4.0.0 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 4.3.2 |
| php | php | 4.3.3 |
| php | php | 4.3.10 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 4.0.4 |
| php | php | 4.0.6 |
| php | php | 4.3.9 |
| php | php | 4.3.8 |
Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a "stacked array assignment."
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 4.3.4 |
| php | php | 4.3.5 |
| php | php | 4.2 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 4.3.2 |
| php | php | 4.3.3 |
| php | php | 4.3.10 |
| php | php | 5.0.1 |
| php | php | 4.0.7 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 4.3.1 |
| php | php | 4.0.4 |
| php | php | 4.0.6 |
| php | php | 4.3.9 |
| php | php | 4.3.8 |
The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the register_globals directive via inputs that cause a request to be terminated due to the memory_limit setting, which causes PHP to set an internal flag that enables register_globals and allows attackers to exploit vulnerabilities in PHP applications that would otherwise be protected.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 4.3.4 |
| php | php | 4.3.5 |
| php | php | 4.2 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 4.3.2 |
| php | php | 4.3.3 |
| php | php | 4.3.10 |
| php | php | 5.0.1 |
| php | php | 4.0.7 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 4.3.1 |
| php | php | 4.0.4 |
| php | php | 4.0.6 |
| php | php | 4.3.9 |
| php | php | 4.3.8 |
The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to modify the GLOBALS array and bypass security protections of PHP applications via a multipart/form-data POST request with a "GLOBALS" fileupload field.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 4.0.2 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 3.0.13 |
| php | php | 4.2 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 5.0 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 4.3.1 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
Multiple vulnerabilities in PHP before 4.4.1 allow remote attackers to bypass safe_mode and open_basedir restrictions via unknown attack vectors in (1) ext/curl and (2) ext/gd.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 4.0.2 |
| php | php | 4.0.0 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 3.0.13 |
| php | php | 4.2 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
Unspecified vulnerability in PHP before 4.4.1, when using the virtual function on Apache 2, allows remote attackers to bypass safe_mode and open_basedir directives.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 4.0.2 |
| php | php | 4.0.0 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 3.0.13 |
| php | php | 4.2 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
CRLF injection vulnerability in the mb_send_mail function in PHP before 5.1.0 might allow remote attackers to inject arbitrary e-mail headers via line feeds (LF) in the "To" address argument.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 4.3.4 |
| php | php | 4.3.5 |
| php | php | 4.2 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 5.0.3 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 4.3.2 |
| php | php | 4.4.1 |
| php | php | 4.3.3 |
| php | php | 4.3.10 |
| php | php | 5.0.1 |
| php | php | 4.0.7 |
| php | php | 5.0 |
| php | php | 4.3.0 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 4.3.1 |
| php | php | 4.0.6 |
| php | php | 4.3.9 |
| php | php | 4.3.8 |
Unspecified vulnerability in PEAR installer 1.4.2 and earlier allows user-assisted attackers to execute arbitrary code via a crafted package that can execute code when the pear command is executed or when the Web/Gtk frontend is loaded.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | pear | 1.3.3 |
| php | pear | 1.0 |
| php | pear | 1.3.6 |
| php | pear | * |
| php | pear | 1.1 |
| php | pear | 1.3 |
| php | pear | 1.3.4 |
| php | pear | 0.90 |
| php | pear | 1.4.0 |
| php | pear | 1.2.1 |
| php | pear | 0.10 |
| php | pear | 0.11 |
| php | pear | 1.3.3.1 |
| php | pear | 1.4.1 |
| php | pear | 1.2 |
| php | pear | 1.3.5 |
| php | pear | 0.9 |
| php | pear | 1.0.1 |
| php | pear | 1.3.1 |
Stack-based buffer overflow in the create_named_pipe function in libmysql.c in PHP 4.3.10 and 4.4.x before 4.4.3 for Windows allows attackers to execute arbitrary code via a long (1) arg_host or (2) arg_unix_socket argument, as demonstrated by a long named pipe variable in the host argument to the mysql_connect function.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.4.0 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.10 |
The proxy server feature in go-pear.php in PHP PEAR 0.2.2, as used in Apache2Triad, allows remote attackers to execute arbitrary PHP code by redirecting go-pear.php to a malicious proxy server that provides a modified version of Tar.php with a malicious extractModify function.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | pear | 0.2.2 |
| apache2triad | apache2triad | * |
Format string vulnerability in the error-reporting feature in the mysqli extension in PHP 5.1.0 and 5.1.1 might allow remote attackers to execute arbitrary code via format string specifiers in MySQL error messages.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-134,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.1.0 |
| php | php | 5.1.1 |
Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.0.0 |
| php | php | 5.1.0 |
| php | php | 5.0.3 |
| php | php | 5.0.4 |
| php | php | 5.0.5 |
| php | php | 5.1.1 |
| php | php | 5.0.2 |
| php | php | 5.0.1 |
| php | php | 5.0 |
Multiple cross-site scripting (XSS) vulnerabilities in PHP 4.4.1 and 5.1.1, when display_errors and html_errors are on, allow remote attackers to inject arbitrary web script or HTML via inputs to PHP applications that are not filtered when they are included in the resulting error message.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 4.3.4 |
| php | php | 4.3.5 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.1.0 |
| php | php | 4.3.11 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 4.0 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 4.3.2 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 4.3.10 |
| php | php | 5.0.1 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 5.1.1 |
| php | php | 4.3.1 |
| php | php | 4.0.4 |
| php | php | 4.0.6 |
| php | php | 4.3.9 |
| php | php | 4.3.8 |
Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2 and 4.4.2 allows remote attackers to inject arbitrary web script or HTML via long array variables, including (1) a large number of dimensions or (2) long values, which prevents HTML tags from being removed.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.1.2 |
| php | php | 4.4.2 |
Argument injection vulnerability in certain PHP 4.x and 5.x applications, when used with sendmail and when accepting remote input for the additional_parameters argument to the mb_send_mail function, allows context-dependent attackers to read and create arbitrary files by providing extra -C and -X arguments to sendmail. NOTE: it could be argued that this is a class of technology-specific vulnerability, instead of a particular instance; if so, then this should not be included in CVE.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.0.0 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 4.3.6 |
| php | php | 4.3.4 |
| php | php | 4.3.5 |
| php | php | 4.4.1 |
| php | php | 4.3.3 |
| php | php | 4.3.10 |
| php | php | 5.0.1 |
| php | php | 4.2 |
| php | php | 5.0 |
| php | php | 5.1.0 |
| php | php | 4.3.11 |
| php | php | 5.0.4 |
| php | php | 4.4.0 |
| php | php | 5.0.5 |
| php | php | 5.0.2 |
| php | php | 4.3.7 |
| php | php | 4.3.9 |
| php | php | 4.3.8 |
Argument injection vulnerability in certain PHP 3.x, 4.x, and 5.x applications, when used with sendmail and when accepting remote input for the additional_parameters argument to the mail function, allows remote attackers to read and create arbitrary files via the sendmail -C and -X arguments. NOTE: it could be argued that this is a class of technology-specific vulnerability, instead of a particular instance; if so, then this should not be included in CVE.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 3.0.13 |
| php | php | 4.2 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 5.0 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 4.3.1 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
The c-client library 2000, 2001, or 2004 for PHP before 4.4.4 and 5.x before 5.1.5 do not check the (1) safe_mode or (2) open_basedir functions, and when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attackers to obtain access to an IMAP stream data structure and conduct unauthorized IMAP actions.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 3.0.13 |
| php | php | 4.2 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 5.0 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 4.3.1 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
PHP before 5.1.3-RC1 might allow remote attackers to obtain portions of memory via crafted binary data sent to a script that processes user input in the html_entity_decode function and sends the encoded results back to the client, aka a "binary safety" issue. NOTE: this issue has been referred to as a "memory leak," but it is an information leak that discloses memory contents.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 3.0.13 |
| php | php | 4.2 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 5.0 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 4.3.1 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 4.3.4 |
| php | php | 4.3.5 |
| php | php | 4.2 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.1.0 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 4.0 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 4.3.2 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 4.3.10 |
| php | php | 5.0.1 |
| php | php | 4.0.7 |
| php | php | 5.0 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 5.1.1 |
| php | php | 4.3.1 |
| php | php | 4.0.4 |
| php | php | 4.0.6 |
| php | php | 4.3.9 |
| php | php | 4.3.8 |
PHP 4.4.2 and 5.1.2 allows local users to cause a crash (segmentation fault) by defining and executing a recursive function. NOTE: it has been reported by a reliable third party that some later versions are also affected.
CVSS 2.0
Severity: LOW
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.1.2 |
| php | php | 4.4.2 |
Cross-site scripting (XSS) vulnerability in search.php in PHP Script Index allows remote attackers to inject arbitrary web script or HTML via the search parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php_script_index | * |
SQL injection vulnerability in PHP Script Index allows remote attackers to execute arbitrary SQL commands via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php_script_index | * |
The copy function in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass safe mode and read arbitrary files via a source argument containing a compress.zlib:// URI.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 4.3.4 |
| php | php | 4.3.5 |
| php | php | 4.2 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.1.0 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 4.0 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 4.3.2 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 4.3.10 |
| php | php | 5.0.1 |
| php | php | 4.0.7 |
| php | php | 5.0 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 5.1.1 |
| php | php | 4.3.1 |
| php | php | 4.0.4 |
| php | php | 4.0.6 |
| php | php | 4.3.9 |
| php | php | 4.3.8 |
Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.1.2 |
| php | php | 4.4.2 |
The substr_compare function in string.c in PHP 5.1.2 allows context-dependent attackers to cause a denial of service (memory access violation) via an out-of-bounds offset argument.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.1.2 |
Cross-site scripting (XSS) vulnerability in index.php in Directory Listing Script allows remote attackers to inject arbitrary web script or HTML via the dir parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | directory_listing_script | * |
The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to bypass safe mode and read files via a file:// request containing null characters.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.1.4 |
| php | php | 4.4.2 |
Buffer consumption vulnerability in the tempnam function in PHP 5.1.4 and 4.x before 4.4.3 allows local users to bypass restrictions and create PHP files with fixed names in other directories via a pathname argument longer than MAXPATHLEN, which prevents a unique string from being appended to the filename.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 4.1.1 |
| php | php | 4.3.4 |
| php | php | 4.3.5 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.1.4 |
| php | php | 4.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 4.0.0 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 4.3.2 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 4.3.10 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 4.4.3 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 4.3.8 |
The error_log function in basic_functions.c in PHP before 4.4.4 and 5.x before 5.1.5 allows local users to bypass safe mode and open_basedir restrictions via a "php://" or other scheme in the third argument, which disables safe mode.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 3.0.13 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 5.1.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 4.3.1 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
zend_hash_del_key_or_index in zend_hash.c in PHP before 4.4.3 and 5.x before 5.1.3 can cause zend_hash_del to delete the wrong element, which prevents a variable from being unset even when the PHP unset function is called, which might cause the variable's value to be used in security-relevant operations.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 3.0.13 |
| php | php | 4.2 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 3.0.3 |
| php | php | pl1 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 5.0 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 4.3.1 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 4.3.4 |
| php | php | 4.3.5 |
| php | php | 4.2 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.1.0 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.1.4 |
| php | php | 5.0.2 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 4.0 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 4.3.2 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 4.3.10 |
| php | php | 5.0.1 |
| php | php | 4.0.7 |
| php | php | 5.0 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 4.4.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 5.1.1 |
| php | php | 4.3.1 |
| php | php | 4.0.4 |
| php | php | 4.0.6 |
| php | php | 4.3.9 |
| php | php | 4.3.8 |
PHP remote file inclusion vulnerability in signer/final.php in warez distributions of Animated Smiley Generator allows remote attackers to execute arbitrary PHP code via a URL in the smiley parameter. NOTE: the vendor disputes this issue, stating that only Warez versions of Animated Smiley Generator were affected, not the developer-provided software: "Legitimately purchased applications do not allow this exploit.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | animated_smiley_generator | * |
The imap_body function in PHP before 4.4.4 does not implement safemode or open_basedir checks, which allows local users to read arbitrary files or list arbitrary directory contents.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
PHP before 5.3.4 accepts the \0 character in a pathname, which might allow context-dependent attackers to bypass intended access restrictions by placing a safe file extension after this character, as demonstrated by .php\0.jpg at the end of the argument to the file_exists function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.2.13 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 5.2.10 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 5.2.9 |
| php | php | 5.2.15 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
The Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows remote attackers to cause a denial of service (stack exhaustion and PHP crash) via deeply nested arrays, which trigger deep recursion in the variable destruction routines.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-674,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_server | 3.0 |
| suse | linux_enterprise_server | 10 |
| redhat | enterprise_linux_desktop | 3.0 |
| redhat | enterprise_linux_server | 2.0 |
| novell | suse_linux | 10.0 |
| redhat | enterprise_linux_server | 4.0 |
| canonical | ubuntu_linux | 7.10 |
| suse | linux_enterprise_server | 8 |
| redhat | enterprise_linux_workstation | 3.0 |
| php | php | * |
| redhat | enterprise_linux_workstation | 2.0 |
| novell | suse_linux | 10.1 |
| redhat | enterprise_linux_workstation | 4.0 |
| redhat | enterprise_linux_desktop | 4.0 |
Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP 1.8.3 and earlier, as bundled with PHP 5.2.0 and 5.2.1, allows remote attackers to execute arbitrary code via a long zip:// URL, as demonstrated by actively triggering URL access from a remote PHP interpreter via avatar upload or blog pingback.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| pecl_zip | 1.8.3 | * |
| php | php | 5.2.1 |
| php | php | 5.2.0 |
| pierrejoye | php_zip | * |
The soap extension in PHP calls php_rand_r with an uninitialized seed variable, which has unknown impact and attack vectors, a related issue to the mcrypt_create_iv issue covered by CVE-2007-2727. Note: The PHP team argue that this is not a valid security issue.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | - |
| canonical | ubuntu_linux | 6.10 |
| canonical | ubuntu_linux | 7.04 |
| canonical | ubuntu_linux | 6.06 |
Multiple integer overflows in the chunk_split function in PHP 5 before 5.2.3 and PHP 4 before 4.4.8 allow remote attackers to cause a denial of service (crash) or execute arbitrary code via the (1) chunks, (2) srclen, and (3) chunklen arguments.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.0.0 |
| php | php | 5.0.3 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.2.2 |
| php | php | 5.0.1 |
| php | php | * |
| php | php | 5.1.0 |
| php | php | 5.1.3 |
| php | php | 5.1.5 |
| php | php | 5.0.4 |
| php | php | 5.0.5 |
| php | php | 5.1.1 |
| php | php | 5.2.0 |
| php | php | 5.1.4 |
| php | php | 5.0.2 |
| php | php | 5.1.2 |
The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-131,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 8.04 |
| fedoraproject | fedora | 9 |
| apple | mac_os_x_server | * |
| fedoraproject | fedora | 8 |
| apple | mac_os_x | * |
| canonical | ubuntu_linux | 7.10 |
| canonical | ubuntu_linux | 7.04 |
| canonical | ubuntu_linux | 6.06 |
Stack-based buffer overflow in the FastCGI SAPI (fastcgi.c) in PHP before 5.2.6 has unknown impact and attack vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.0.0 |
| php | php | 5.0.3 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.2.2 |
| php | php | 5.0.1 |
| php | php | * |
| php | php | 5.2.4 |
| php | php | 5.1.0 |
| php | php | 5.1.3 |
| php | php | 5.1.5 |
| php | php | 5.0.4 |
| php | php | 5.2.3 |
| php | php | 5.0.5 |
| php | php | 5.1.1 |
| php | php | 5.2.0 |
| php | php | 5.1.4 |
| php | php | 5.0.2 |
| php | php | 5.1.2 |
The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-331,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 8.04 |
| fedoraproject | fedora | 9 |
| fedoraproject | fedora | 8 |
| debian | debian_linux | 4.0 |
| canonical | ubuntu_linux | 7.10 |
| canonical | ubuntu_linux | 7.04 |
| canonical | ubuntu_linux | 6.06 |
The exif_read_data function in the Exif module in PHP before 5.2.10 allows remote attackers to cause a denial of service (crash) via a malformed JPEG image with invalid offset fields, a different issue than CVE-2005-3353.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 4.0 |
| debian | debian_linux | 5.0 |
| debian | debian_linux | 6.0 |
The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.11 |
| libgd | gd_graphics_library | 2.0.34 |
| libgd | gd_graphics_library | 2.0.36 |
| libgd | gd_graphics_library | 2.0.33 |
| php | php | 5.3.0 |
| libgd | gd_graphics_library | 2.0.35 |
main/streams/plain_wrapper.c in PHP 5.3.x before 5.3.1 does not recognize the safe_mode_include_dir directive, which allows context-dependent attackers to have an unknown impact by triggering the failure of PHP scripts that perform include or require operations, as demonstrated by a script that attempts to perform a require_once on a file in a standard library directory. NOTE: a reliable third party reports that this is not a vulnerability, because it results in a more restrictive security policy.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.0 |
PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 4.0 |
| debian | debian_linux | 5.0 |
| php | php | 5.3.0 |
| apple | mac_os_x | 10.6.3 |
| debian | debian_linux | 6.0 |
Integer overflow in the xml_utf8_decode function in ext/xml/xml.c in PHP before 5.2.11 makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string that uses overlong UTF-8 encoding, a different vulnerability than CVE-2010-3870.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 3.0.13 |
| php | php | 5.1.5 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
The xmlrpc extension in PHP 5.3.1 does not properly handle a missing methodName element in the first argument to the xmlrpc_decode_request function, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) and possibly have unspecified other impact via a crafted argument.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.1 |
The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy, which makes it easier for context-dependent attackers to guess values that were intended to be unpredictable, as demonstrated by session cookies generated by using the uniqid function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | * |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.0 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.2.6 |
The safe_mode implementation in PHP before 5.2.13 does not properly handle directory pathnames that lack a trailing / (slash) character, which allows context-dependent attackers to bypass intended access restrictions via vectors related to use of the tempnam function.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.0 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.2.6 |
session.c in the session extension in PHP before 5.2.13, and 5.3.1, does not properly interpret ; (semicolon) characters in the argument to the session_save_path function, which allows context-dependent attackers to bypass open_basedir and safe_mode restrictions via an argument that contains multiple ; characters in conjunction with a .. (dot dot).
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.0.0 |
| php | php | 5.2.2 |
| php | php | * |
| php | php | 5.2.8 |
| php | php | 5.1.0 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.13 |
| php | php | 5.1.4 |
| php | php | 5.0.2 |
| php | php | 5.1.2 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.0.3 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.2.10 |
| php | php | 5.0.1 |
| php | php | 5.2.4 |
| php | php | 5.1.3 |
| php | php | 5.0.4 |
| php | php | 5.2.9 |
| php | php | 5.0.5 |
| php | php | 5.1.1 |
| php | php | 5.2.0 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
The html_entity_decode function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a userspace interruption of an internal call, related to the call time pass by reference feature.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
The sysvshm extension for PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to write to arbitrary memory addresses by using an object's __sleep function to interrupt an internal call to the shm_put_var function, which triggers access of a freed resource.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
The chunk_split function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
The addcslashes function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
The dechunk filter in PHP 5.3 through 5.3.2, when decoding an HTTP chunked encoding stream, allows context-dependent attackers to cause a denial of service (crash) and possibly trigger memory corruption via a negative chunk size, which bypasses a signed comparison, related to an integer overflow in the chunk size decoder.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| suse | linux_enterprise | 10.0 |
| suse | linux_enterprise | 11.0 |
| opensuse | opensuse | 11.3 |
| opensuse | opensuse | 11.1 |
| opensuse | opensuse | 11.2 |
The (1) sqlite_single_query and (2) sqlite_array_query functions in ext/sqlite/sqlite.c in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to execute arbitrary code by calling these functions with an empty SQL query, which triggers access of uninitialized memory.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
The Zend Engine in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information by interrupting the handler for the (1) ZEND_BW_XOR opcode (shift_left_function), (2) ZEND_SL opcode (bitwise_xor_function), or (3) ZEND_SR opcode (shift_right_function), related to the convert_to_long_base function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.0 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
The preg_quote function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature, modification of ZVALs whose values are not updated in the associated local variables, and access of previously-freed memory.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.0 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
Stack consumption vulnerability in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to cause a denial of service (PHP crash) via a crafted first argument to the fnmatch function, as demonstrated using a long string.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
Use-after-free vulnerability in the request shutdown functionality in PHP 5.2 before 5.2.13 and 5.3 before 5.3.2 allows context-dependent attackers to cause a denial of service (crash) via a stream context structure that is freed before destruction occurs.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.0 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the (1) phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5) phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers errors in the php_stream_wrapper_log_error function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-134,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.0 |
| php | php | 5.3.1 |
The (1) iconv_mime_decode, (2) iconv_substr, and (3) iconv_mime_encode functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
The (1) htmlentities, (2) htmlspecialchars, (3) str_getcsv, (4) http_build_query, (5) strpbrk, and (6) strtr functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
The (1) strip_tags, (2) setcookie, (3) strtok, (4) wordwrap, (5) str_word_count, and (6) str_pad functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
The (1) trim, (2) ltrim, (3) rtrim, and (4) substr_replace functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
The (1) parse_str, (2) preg_match, (3) unpack, and (4) pack functions; the (5) ZEND_FETCH_RW, (6) ZEND_CONCAT, and (7) ZEND_ASSIGN_CONCAT opcodes; and the (8) ArrayObject::uasort method in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a userspace interruption of an internal function or handler. NOTE: vectors 2 through 4 are related to the call time pass by reference feature.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
Use-after-free vulnerability in the SplObjectStorage unserializer in PHP 5.2.x and 5.3.x through 5.3.2 allows remote attackers to execute arbitrary code or obtain sensitive information via serialized data, related to the PHP unserialize function.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
The strrchr function in PHP 5.2 before 5.2.14 allows context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a userspace interruption of an internal function or handler.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.5 |
| php | php | 5.2.6 |
The var_export function in PHP 5.2 before 5.2.14 and 5.3 before 5.3.3 flushes the output buffer to the user when certain fatal errors occur, even if display_errors is off, which allows remote attackers to obtain sensitive information by causing the application to exceed limits for memory, execution time, or recursion.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 5.0 |
| debian | debian_linux | 6.0 |
Format string vulnerability in stream.c in the phar extension in PHP 5.3.x through 5.3.3 allows context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the phar_stream_flush function, leading to errors in the php_stream_wrapper_log_error function. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2094.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-134,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.0 |
| php | php | 5.3.3 |
| php | php | 5.3.1 |
| php | php | 5.3.2 |
mysqlnd_wireprotocol.c in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows remote attackers to (1) read sensitive memory via a modified length value, which is not properly handled by the php_mysqlnd_ok_read function; or (2) trigger a heap-based buffer overflow via a modified length value, which is not properly handled by the php_mysqlnd_rset_header_read function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.0 |
| php | php | 5.3.1 |
| php | php | 5.3.2 |
The php_mysqlnd_read_error_from_line function in the Mysqlnd extension in PHP 5.3 through 5.3.2 does not properly calculate a buffer length, which allows context-dependent attackers to trigger a heap-based buffer overflow via crafted inputs that cause a negative length value to be used.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.0 |
| php | php | 5.3.1 |
| php | php | 5.3.2 |
Stack-based buffer overflow in the php_mysqlnd_auth_write function in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) username or (2) database name argument to the (a) mysql_connect or (b) mysqli_connect function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.0 |
| php | php | 5.3.1 |
| php | php | 5.3.2 |
The default session serializer in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker, which allows context-dependent attackers to modify arbitrary session variables via a crafted session variable name.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.2 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions via vectors related to the length of a filename.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 8.04 |
| canonical | ubuntu_linux | 10.10 |
| canonical | ubuntu_linux | 9.10 |
| canonical | ubuntu_linux | 10.04 |
| canonical | ubuntu_linux | 6.06 |
The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ZIP archive.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 8.04 |
| canonical | ubuntu_linux | 10.10 |
| canonical | ubuntu_linux | 9.10 |
| canonical | ubuntu_linux | 10.04 |
| canonical | ubuntu_linux | 6.06 |
Stack consumption vulnerability in the filter_var function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows remote attackers to cause a denial of service (memory consumption and application crash) via a long e-mail address string.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.14 |
| php | php | 5.2.2 |
| php | php | 5.3.3 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 8.04 |
| canonical | ubuntu_linux | 10.10 |
| canonical | ubuntu_linux | 9.10 |
| canonical | ubuntu_linux | 10.04 |
| canonical | ubuntu_linux | 6.06 |
Double free vulnerability in the imap_do_open function in the IMAP extension (ext/imap/php_imap.c) in PHP 5.2 before 5.2.15 and 5.3 before 5.3.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.14 |
| php | php | 5.2.2 |
| php | php | 5.3.3 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.3.1 |
Integer overflow in the NumberFormatter::getSymbol (aka numfmt_get_symbol) function in PHP 5.3.3 and earlier allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 2.0 |
| php | php | 4.0.2 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.3.0 |
| php | php | 3.0.13 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and 5.3 before 5.3.5, and other products, allows context-dependent attackers to cause a denial of service (infinite loop) via a certain floating-point value in scientific notation, which is not properly handled in x87 FPU registers, as demonstrated using 2.2250738585072011e-308.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.14 |
| php | php | 5.2.2 |
| php | php | 5.3.4 |
| php | php | 5.3.3 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.9 |
| php | php | 5.2.13 |
| php | php | 5.2.15 |
| php | php | 5.2.0 |
| php | php | 5.2.16 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.3.1 |
| php | php | 5.2.6 |
Use-after-free vulnerability in the Zend engine in PHP before 5.2.15 and 5.3.x before 5.3.4 might allow context-dependent attackers to cause a denial of service (heap memory corruption) or have unspecified other impact via vectors related to use of __set, __get, __isset, and __unset methods on objects accessed by a reference.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.2.13 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 5.2.10 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 5.3.3 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
Stack-based buffer overflow in the GD extension in PHP before 5.2.15 and 5.3.x before 5.3.4 allows context-dependent attackers to cause a denial of service (application crash) via a large number of anti-aliasing steps in an argument to the imagepstext function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.2.1 |
| php | php | 5.3.0 |
| php | php | 5.2.10 |
| php | php | 5.2.14 |
| php | php | 5.2.2 |
| php | php | 5.3.3 |
| php | php | 5.3.2 |
| php | php | 5.2.4 |
| php | php | 5.2.12 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.13 |
| php | php | 5.2.0 |
| php | php | 5.3.1 |
The iconv_mime_decode_headers function in the Iconv extension in PHP before 5.3.4 does not properly handle encodings that are unrecognized by the iconv and mbstring (aka Multibyte String) implementations, which allows remote attackers to trigger an incomplete output array, and possibly bypass spam detection or have unspecified other impact, via a crafted Subject header in an e-mail message, as demonstrated by the ks_c_5601-1987 character set.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.2.13 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 5.2.10 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 5.2.9 |
| php | php | 5.2.15 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
The set_magic_quotes_runtime function in PHP 5.3.2 and 5.3.3, when the MySQLi extension is used, does not properly interact with use of the mysqli_fetch_assoc function, which might make it easier for context-dependent attackers to conduct SQL injection attacks via crafted input that had been properly handled in earlier PHP versions.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.3 |
| php | php | 5.3.2 |
The grapheme_extract function in the Internationalization extension (Intl) for ICU for PHP 5.3.5 allows context-dependent attackers to cause a denial of service (crash) via an invalid size argument, which triggers a NULL pointer dereference.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.5 |
The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 4.4.3 |
| php | php | 5.2.15 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.3.6 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
The Debian GNU/Linux /etc/cron.d/php5 cron job for PHP 5.3.5 allows local users to delete arbitrary files via a symlink attack on a directory under /var/lib/php5/.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.5 |
exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 4.4.3 |
| php | php | 5.2.15 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.3.6 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
The extract function in PHP before 5.2.15 does not prevent use of the EXTR_OVERWRITE parameter to overwrite (1) the GLOBALS superglobal array and (2) the this variable, which allows context-dependent attackers to bypass intended access restrictions by modifying data structures that were not intended to depend on external input, a related issue to CVE-2005-2691 and CVE-2006-3758.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.2.13 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 5.2.10 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
Race condition in the PCNTL extension in PHP before 5.3.4, when a user-defined signal handler exists, might allow context-dependent attackers to cause a denial of service (memory corruption) via a large number of concurrent signals.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 2.0 |
| php | php | 4.0.2 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.3.0 |
| php | php | 3.0.13 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
The SplFileInfo::getType function in the Standard PHP Library (SPL) extension in PHP before 5.3.4 on Windows does not properly detect symbolic links, which might make it easier for local users to conduct symlink attacks by leveraging cross-platform differences in the stat structure, related to lack of a FILE_ATTRIBUTE_REPARSE_POINT check.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 2.0 |
| php | php | 4.0.2 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.3.0 |
| php | php | 3.0.13 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
Integer overflow in the mt_rand function in PHP before 5.3.4 might make it easier for context-dependent attackers to predict the return values by leveraging a script's use of a large max parameter, as demonstrated by a value that exceeds mt_getrandmax.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.2.13 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 5.2.10 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 5.2.9 |
| php | php | 5.2.15 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
The installer in PEAR before 1.9.2 allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories, a different vulnerability than CVE-2007-2519.
CVSS 2.0
Severity: LOW
Problem Type: CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | pear | 0.2.2 |
| php | pear | 1.3.6 |
| php | pear | * |
| php | pear | 1.3 |
| php | pear | 0.90 |
| php | pear | 1.4.0 |
| php | pear | 1.6.1 |
| php | pear | 0.10 |
| php | pear | 1.3.3.1 |
| php | pear | 1.4.2 |
| php | pear | 1.4.1 |
| php | pear | 1.2 |
| php | pear | 0.9 |
| php | pear | 1.5.0 |
| php | pear | 1.3.1 |
| php | pear | 1.3.3 |
| php | pear | 1.0 |
| php | pear | 1.5.1 |
| php | pear | 1.1 |
| php | pear | 1.3.4 |
| php | pear | 1.2.1 |
| php | pear | 0.11 |
| php | pear | 1.3.5 |
| php | pear | 1.0.1 |
Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (crash) and possibly read sensitive memory via a large third argument to the shmop_read function.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 4.4.3 |
| php | php | 5.2.15 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.3.6 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
The installer in PEAR 1.9.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1072.
CVSS 2.0
Severity: LOW
Problem Type: CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | pear | 0.2.2 |
| php | pear | 1.3.6 |
| php | pear | * |
| php | pear | 1.3 |
| php | pear | 0.90 |
| php | pear | 1.4.0 |
| php | pear | 1.6.1 |
| php | pear | 0.10 |
| php | pear | 1.3.3.1 |
| php | pear | 1.4.2 |
| php | pear | 1.4.1 |
| php | pear | 1.2 |
| php | pear | 0.9 |
| php | pear | 1.5.0 |
| php | pear | 1.3.1 |
| php | pear | 1.3.3 |
| php | pear | 1.0 |
| php | pear | 1.5.1 |
| php | pear | 1.1 |
| php | pear | 1.3.4 |
| php | pear | 1.2.1 |
| php | pear | 0.11 |
| php | pear | 1.9.1 |
| php | pear | 1.3.5 |
| php | pear | 1.0.1 |
Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 2.0 |
| php | php | 4.0.2 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.3.0 |
| php | php | 5.3.4 |
| php | php | 3.0.13 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.5 |
| php | php | 4.3.10 |
| php | php | 5.3.3 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
Multiple format string vulnerabilities in phar_object.c in the phar extension in PHP 5.3.5 and earlier allow context-dependent attackers to obtain sensitive information from process memory, cause a denial of service (memory corruption), or possibly execute arbitrary code via format string specifiers in an argument to a class method, leading to an incorrect zend_throw_exception_ex call.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-134,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.2.13 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 5.2.10 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.3.4 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 4.3.10 |
| php | php | 5.3.3 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
Buffer overflow in the strval function in PHP before 5.3.6, when the precision configuration option has a large value, might allow context-dependent attackers to cause a denial of service (application crash) via a small numerical value in the argument.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 4.4.3 |
| php | php | 5.2.15 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.3.6 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
Integer overflow in the SdnToJulian function in the Calendar extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a large integer in the first argument to the cal_from_jd function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 4.4.3 |
| php | php | 5.2.15 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.3.6 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
Unspecified vulnerability in the NumberFormatter::setSymbol (aka numfmt_set_symbol) function in the Intl extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument, a related issue to CVE-2010-4409.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 4.4.3 |
| php | php | 5.2.15 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.3.6 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
Multiple memory leaks in the OpenSSL extension in PHP before 5.3.6 might allow remote attackers to cause a denial of service (memory consumption) via (1) plaintext data to the openssl_encrypt function or (2) ciphertext data to the openssl_decrypt function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 4.4.3 |
| php | php | 5.2.15 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.3.6 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
Unspecified vulnerability in the Streams component in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) by accessing an ftp:// URL during use of an HTTP proxy with the FTP wrapper.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 4.4.3 |
| php | php | 5.2.15 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.3.6 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
The Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a ziparchive stream that is not properly handled by the stream_get_contents function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 4.4.3 |
| php | php | 5.2.15 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.3.6 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
Integer signedness error in zip_stream.c in the Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (CPU consumption) via a malformed archive file that triggers errors in zip_fread function calls.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
The (1) ZipArchive::addGlob and (2) ZipArchive::addPattern functions in ext/zip/php_zip.c in PHP 5.3.6 allow context-dependent attackers to cause a denial of service (application crash) via certain flags arguments, as demonstrated by (a) GLOB_ALTDIRFUNC and (b) GLOB_APPEND.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.6 |
Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.4 |
| php | php | 5.3.5 |
| php | php | 5.3.3 |
| php | php | 5.3.6 |
The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability."
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 3.0.2 |
| php | php | 2.0 |
| php | php | 4.0.2 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.3.0 |
| php | php | 5.3.4 |
| php | php | 3.0.13 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.5 |
| php | php | 4.3.10 |
| php | php | 5.3.3 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 4.0.3 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.13 |
| solar_designer | crypt_blowfish | 0.4.6 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 4.4.3 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| solar_designer | crypt_blowfish | 0.2 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.3.6 |
| php | php | 5.3.5 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| solar_designer | crypt_blowfish | 0.4 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| solar_designer | crypt_blowfish | 0.4.5 |
| php | php | 4.0.2 |
| solar_designer | crypt_blowfish | 0.4.2 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| solar_designer | crypt_blowfish | 0.3 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| solar_designer | crypt_blowfish | 0.4.4 |
| php | php | 3.0.18 |
| postgresql | postgresql | * |
| php | php | 5.3.4 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| solar_designer | crypt_blowfish | * |
| solar_designer | crypt_blowfish | 0.4.1 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 4.4.8 |
| solar_designer | crypt_blowfish | 0.4.3 |
PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.2.13 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 5.2.10 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.3.4 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.5 |
| php | php | 4.3.10 |
| php | php | 5.3.3 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
The crypt function in PHP 5.3.7, when the MD5 hash type is used, returns the value of the salt argument instead of the hashed string, which might allow remote attackers to bypass authentication via an arbitrary password, a different vulnerability than CVE-2011-2483.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.7 |
PHP before 5.3.7 does not properly implement the error_log function, which allows context-dependent attackers to cause a denial of service (application crash) via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.2.13 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 5.2.10 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.3.4 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.5 |
| php | php | 4.3.10 |
| php | php | 5.3.3 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
Buffer overflow in the crypt function in PHP before 5.3.7 allows context-dependent attackers to have an unspecified impact via a long salt argument, a different vulnerability than CVE-2011-2483.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.1.2 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.2.13 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 5.2.10 |
| php | php | 3.0.14 |
| php | php | 4.4.6 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 5.0.1 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 4.4.3 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 3.0.4 |
| php | php | 4.3.9 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 3.0.18 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.3.4 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 4.0 |
| php | php | 3.0.5 |
| php | php | 4.2.0 |
| php | php | 4.3.6 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.5 |
| php | php | 4.3.10 |
| php | php | 5.3.3 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.3.1 |
| php | php | 4.4.5 |
| php | php | 4.4.8 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the __autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.8 |
| php | php | 5.3.7 |
PHP 5.3.8 does not always check the return value of the zend_strndup function, which might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that performs strndup operations on untrusted string data, as demonstrated by the define function in zend_builtin_functions.c, and unspecified functions in ext/soap/php_sdl.c, ext/standard/syslog.c, ext/standard/browscap.c, ext/oci8/oci8.c, ext/com_dotnet/com_typeinfo.c, and main/php_open_temporary_file.c.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.8 |
Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP 5.4.0beta2 on 32-bit platforms allows remote attackers to read the contents of arbitrary memory locations or cause a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different vulnerability than CVE-2011-0708.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 11.10 |
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 8.04 |
| php | php | 5.4.0 |
| canonical | ubuntu_linux | 11.04 |
| debian | debian_linux | 5.0 |
| canonical | ubuntu_linux | 10.10 |
| canonical | ubuntu_linux | 10.04 |
| debian | debian_linux | 6.0 |
Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.26 |
| php | php | 5.2.14 |
| php | php | 5.3.12 |
| php | php | 5.4.13 |
| php | php | 5.3.25 |
| php | php | 5.4.5 |
| php | php | 5.4.16 |
| php | php | 5.3.2 |
| php | php | 5.3.16 |
| php | php | * |
| php | php | 5.1.0 |
| php | php | 5.4.0 |
| php | php | 5.2.3 |
| php | php | 5.2.13 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 5.2.16 |
| php | php | 5.3.23 |
| php | php | 5.4.3 |
| php | php | 5.0.3 |
| php | php | 5.3.21 |
| php | php | 5.2.10 |
| php | php | 5.0.1 |
| php | php | 5.3.17 |
| php | php | 5.2.4 |
| php | php | 5.3.20 |
| php | php | 5.4.12 |
| php | php | 5.2.9 |
| php | php | 5.2.15 |
| php | php | 5.1.1 |
| php | php | 5.4.2 |
| php | php | 5.3.6 |
| php | php | 5.2.6 |
| php | php | 5.0.0 |
| php | php | 5.5.0 |
| php | php | 5.3.15 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.3.4 |
| php | php | 5.4.15 |
| php | php | 5.3.7 |
| php | php | 5.3.11 |
| php | php | 5.3.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.4.6 |
| php | php | 5.4.11 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.3.8 |
| php | php | 5.0.2 |
| php | php | 5.3.9 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.4.8 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.3.18 |
| php | php | 5.3.27 |
| php | php | 5.3.10 |
| php | php | 5.3.5 |
| php | php | 5.3.22 |
| php | php | 5.4.14 |
| php | php | 5.3.3 |
| php | php | 5.4.10 |
| php | php | 5.4.9 |
| php | php | 5.1.3 |
| php | php | 5.0.4 |
| php | php | 5.3.24 |
| php | php | 5.3.14 |
| php | php | 5.3.19 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 5.4.1 |
| php | php | 5.2.17 |
| php | php | 5.3.1 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.14 |
| php | php | 5.2.2 |
| php | php | 5.3.4 |
| php | php | 5.3.7 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.1.4 |
| php | php | 5.0.2 |
| php | php | 5.1.2 |
| php | php | 5.2.16 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.0.3 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.2.10 |
| php | php | 5.3.5 |
| php | php | 5.0.1 |
| php | php | 5.3.3 |
| php | php | 5.2.4 |
| php | php | 5.1.3 |
| php | php | 5.0.4 |
| php | php | 5.2.9 |
| php | php | 5.2.15 |
| php | php | 5.0.5 |
| php | php | 5.1.1 |
| php | php | 5.2.0 |
| php | php | 5.2.17 |
| php | php | 5.3.1 |
| php | php | 5.3.6 |
| php | php | 5.2.6 |
PHP before 5.3.9 has improper libxslt security settings, which allows remote attackers to create arbitrary files via a crafted XSLT stylesheet that uses the libxslt output extension.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.14 |
| php | php | 5.2.2 |
| php | php | 5.3.4 |
| php | php | 5.3.7 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.0 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.13 |
| php | php | 5.1.4 |
| php | php | 5.0.2 |
| php | php | 5.1.2 |
| php | php | 5.2.16 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.0.3 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.2.10 |
| php | php | 5.3.5 |
| php | php | 5.0.1 |
| php | php | 5.3.3 |
| php | php | 5.2.4 |
| php | php | 5.1.3 |
| php | php | 5.0.4 |
| php | php | 5.2.9 |
| php | php | 5.2.15 |
| php | php | 5.0.5 |
| php | php | 5.1.1 |
| php | php | 5.2.0 |
| php | php | 5.2.17 |
| php | php | 5.3.1 |
| php | php | 5.3.6 |
| php | php | 5.2.6 |
The tidy_diagnose function in PHP 5.3.8 might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that attempts to perform Tidy::diagnose operations on invalid objects, a different vulnerability than CVE-2011-4153.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.8 |
The PDORow implementation in PHP before 5.3.9 does not properly interact with the session feature, which allows remote attackers to cause a denial of service (application crash) via a crafted application that uses a PDO driver for a fetch and then calls the session_start function, as demonstrated by a crash of the Apache HTTP Server.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.14 |
| php | php | 5.2.2 |
| php | php | 5.3.4 |
| php | php | 5.3.7 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.1.4 |
| php | php | 5.0.2 |
| php | php | 5.1.2 |
| php | php | 5.2.16 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.0.3 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.2.10 |
| php | php | 5.3.5 |
| php | php | 5.0.1 |
| php | php | 5.3.3 |
| php | php | 5.2.4 |
| php | php | 5.1.3 |
| php | php | 5.0.4 |
| php | php | 5.2.9 |
| php | php | 5.2.15 |
| php | php | 5.0.5 |
| php | php | 5.1.1 |
| php | php | 5.2.0 |
| php | php | 5.2.17 |
| php | php | 5.3.1 |
| php | php | 5.3.6 |
| php | php | 5.2.6 |
Memory leak in the timezone functionality in PHP before 5.3.9 allows remote attackers to cause a denial of service (memory consumption) by triggering many strtotime function calls, which are not properly handled by the php_date_parse_tzfile cache.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.14 |
| php | php | 5.2.2 |
| php | php | 5.3.4 |
| php | php | 5.3.7 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.1.4 |
| php | php | 5.0.2 |
| php | php | 5.1.2 |
| php | php | 5.2.16 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.0.3 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.2.10 |
| php | php | 5.3.5 |
| php | php | 5.0.1 |
| php | php | 5.3.3 |
| php | php | 5.2.4 |
| php | php | 5.1.3 |
| php | php | 5.0.4 |
| php | php | 5.2.9 |
| php | php | 5.2.15 |
| php | php | 5.0.5 |
| php | php | 5.1.1 |
| php | php | 5.2.0 |
| php | php | 5.2.17 |
| php | php | 5.3.1 |
| php | php | 5.3.6 |
| php | php | 5.2.6 |
The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.9 |
PHP before 5.3.10 does not properly perform a temporary change to the magic_quotes_gpc directive during the importing of environment variables, which makes it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.14 |
| php | php | 5.2.2 |
| php | php | 5.3.4 |
| php | php | 5.3.7 |
| php | php | 5.3.2 |
| php | php | * |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.0 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.2.3 |
| php | php | 5.2.13 |
| php | php | 5.3.8 |
| php | php | 5.1.4 |
| php | php | 5.0.2 |
| php | php | 5.1.2 |
| php | php | 5.2.16 |
| php | php | 5.3.9 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.0.3 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.2.10 |
| php | php | 5.3.5 |
| php | php | 5.0.1 |
| php | php | 5.3.3 |
| php | php | 5.2.4 |
| php | php | 5.1.3 |
| php | php | 5.0.4 |
| php | php | 5.2.9 |
| php | php | 5.2.15 |
| php | php | 5.0.5 |
| php | php | 5.1.1 |
| php | php | 5.2.0 |
| php | php | 5.2.17 |
| php | php | 5.3.1 |
| php | php | 5.3.6 |
| php | php | 5.2.6 |
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-77,CWE-77,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opensuse | opensuse | 12.1 |
| php | php | 5.2.14 |
| redhat | enterprise_linux_eus | 6.1 |
| php | php | 5.3.2 |
| hp | hp-ux | b.11.23 |
| php | php | * |
| redhat | enterprise_linux_eus | 5.6 |
| php | php | 5.1.0 |
| php | php | 5.4.0 |
| fedoraproject | fedora | 40 |
| php | php | 5.2.3 |
| php | php | 5.2.13 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 5.2.16 |
| suse | linux_enterprise_software_development_kit | 10 |
| suse | linux_enterprise_server | 10 |
| php | php | 5.0.3 |
| suse | linux_enterprise_server | 11 |
| fedoraproject | fedora | 39 |
| php | php | 5.2.10 |
| redhat | enterprise_linux_workstation | 6.0 |
| redhat | application_stack | 2.0 |
| php | php | 5.0.1 |
| php | php | 5.2.4 |
| redhat | enterprise_linux_desktop | 6.0 |
| php | php | 5.2.9 |
| php | php | 5.2.15 |
| php | php | 5.1.1 |
| suse | linux_enterprise_software_development_kit | 11 |
| redhat | enterprise_linux_server | 6.0 |
| redhat | enterprise_linux_server_aus | 5.6 |
| php | php | 5.3.6 |
| debian | debian_linux | 6.0 |
| php | php | 5.2.6 |
| redhat | storage | 2.0 |
| apple | mac_os_x | * |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.3.4 |
| php | php | 5.3.7 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.3.8 |
| redhat | gluster_storage_server_for_on-premise | 2.0 |
| php | php | 5.0.2 |
| redhat | enterprise_linux_server | 5.0 |
| redhat | enterprise_linux_workstation | 5.0 |
| php | php | 5.3.9 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.3.10 |
| php | php | 5.3.5 |
| php | php | 5.3.3 |
| redhat | enterprise_linux_server_aus | 5.3 |
| hp | hp-ux | b.11.31 |
| php | php | 5.1.3 |
| redhat | storage_for_public_cloud | 2.0 |
| redhat | enterprise_linux_eus | 6.2 |
| php | php | 5.0.4 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 5.4.1 |
| php | php | 5.2.17 |
| opensuse | opensuse | 11.4 |
| php | php | 5.3.1 |
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| freebsd | freebsd | 2.2.8 |
| freebsd | freebsd | 2.2.5 |
| freebsd | freebsd | 2.2 |
| freebsd | freebsd | 4.8 |
| freebsd | freebsd | 1.1 |
| freebsd | freebsd | 4.4 |
| freebsd | freebsd | 3.2 |
| freebsd | freebsd | 7.2 |
| freebsd | freebsd | 3.1 |
| php | php | * |
| freebsd | freebsd | * |
| freebsd | freebsd | 4.10 |
| postgresql | postgresql | 9.0 |
| freebsd | freebsd | 6.1 |
| freebsd | freebsd | 7.1 |
| postgresql | postgresql | 9.1 |
| freebsd | freebsd | 4.3 |
| postgresql | postgresql | 8.3 |
| freebsd | freebsd | 2.2.6 |
| freebsd | freebsd | 3.4 |
| freebsd | freebsd | 4.6.2 |
| freebsd | freebsd | 1.1.5 |
| freebsd | freebsd | 4.2 |
| freebsd | freebsd | 7.0 |
| freebsd | freebsd | 1.1.5.1 |
| freebsd | freebsd | 4.11 |
| freebsd | freebsd | 1.0 |
| freebsd | freebsd | 5.0 |
| debian | debian_linux | 6.0 |
| freebsd | freebsd | 2.1.6 |
| freebsd | freebsd | 4.0 |
| freebsd | freebsd | 5.2.1 |
| postgresql | postgresql | * |
| freebsd | freebsd | 8.1 |
| freebsd | freebsd | 5.5 |
| freebsd | freebsd | 3.3 |
| postgresql | postgresql | 8.4 |
| freebsd | freebsd | 7.3 |
| freebsd | freebsd | 4.6 |
| freebsd | freebsd | 2.2.1 |
| freebsd | freebsd | 8.2 |
| freebsd | freebsd | 8.0 |
| freebsd | freebsd | 4.7 |
| freebsd | freebsd | 6.3 |
| freebsd | freebsd | 2.1 |
| freebsd | freebsd | 5.4 |
| freebsd | freebsd | 2.1.7 |
| freebsd | freebsd | 7.4 |
| freebsd | freebsd | 3.0 |
| freebsd | freebsd | 2.2.7 |
| freebsd | freebsd | 4.5 |
| freebsd | freebsd | 4.9 |
| freebsd | freebsd | 5.1 |
| freebsd | freebsd | 6.2 |
| freebsd | freebsd | 2.2.2 |
| freebsd | freebsd | 6.4 |
| freebsd | freebsd | 5.2 |
| freebsd | freebsd | 2.0 |
| freebsd | freebsd | 8.3 |
| freebsd | freebsd | 4.1 |
| freebsd | freebsd | 3.5 |
| freebsd | freebsd | 6.0 |
| freebsd | freebsd | 2.1.5 |
| freebsd | freebsd | 4.1.1 |
| freebsd | freebsd | 2.0.5 |
| freebsd | freebsd | 5.3 |
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.4.0 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 4.4.3 |
| php | php | 5.2.15 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.3.7 |
| php | php | 5.3.11 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.3.8 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.3.9 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.3.6 |
| php | php | 5.3.10 |
| php | php | 5.3.5 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 5.4.1 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 5.3.6 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
Buffer overflow in the apache_request_headers function in sapi/cgi/cgi_main.c in PHP 5.4.x before 5.4.3 allows remote attackers to cause a denial of service (application crash) via a long string in the header of an HTTP request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.4.0 |
| php | php | 5.4.1 |
| php | php | 5.4.2 |
php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.4.2 |
| php | php | 5.3.12 |
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.4.0 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 4.4.3 |
| php | php | 5.2.15 |
| php | php | 5.4.2 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.3.7 |
| php | php | 5.3.11 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.3.8 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.3.9 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.3.6 |
| php | php | 5.3.10 |
| php | php | 5.3.5 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 5.4.1 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 5.3.6 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on Windows allows remote attackers to execute arbitrary code via crafted arguments that trigger incorrect handling of COM object VARIANT types, as exploited in the wild in May 2012.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.4.0 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 4.4.3 |
| php | php | 5.2.15 |
| php | php | 5.4.2 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.3.7 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.3.8 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.3.9 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.3.6 |
| php | php | 5.3.5 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 5.4.1 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 5.3.6 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tar file that triggers a heap-based buffer overflow.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1398.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 11.10 |
| canonical | ubuntu_linux | 8.04 |
| canonical | ubuntu_linux | 12.04 |
| php | php | 5.4.0 |
| canonical | ubuntu_linux | 11.04 |
| canonical | ubuntu_linux | 10.04 |
| debian | debian_linux | 6.0 |
Untrusted search path vulnerability in the installation functionality in PHP 5.3.17, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse DLL in the C:\PHP directory, which may be added to the PATH system environment variable by an administrator, as demonstrated by a Trojan horse wlbsctrl.dll file used by the "IKE and AuthIP IPsec Keying Modules" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview. NOTE: CVE disputes this issue because the unsafe PATH is established only by a separate administrative action that is not a default part of the PHP installation
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.17 |
The openssl_encrypt function in ext/openssl/openssl.c in PHP 5.3.9 through 5.3.13 does not initialize a certain variable, which allows remote attackers to obtain sensitive information from process memory by providing zero bytes of input data.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.10 |
| php | php | 5.3.12 |
| php | php | 5.3.11 |
| php | php | 5.3.9 |
| php | php | 5.3.13 |
ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 5.3.12 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 5.4.5 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.4.0 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 5.3.17 |
| php | php | 4.4.3 |
| php | php | 5.3.20 |
| php | php | 5.2.15 |
| php | php | 5.4.2 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.15 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.3.7 |
| php | php | 5.3.11 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.4.6 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.3.8 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.3.9 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 5.4.8 |
| php | php | 4.3.6 |
| php | php | 5.3.10 |
| php | php | 5.3.5 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.4.9 |
| php | php | 5.1.3 |
| php | php | 5.3.19 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 5.4.1 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | 5.3.16 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.4.3 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.4.12 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 5.3.6 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 5.3.13 |
| php | php | 5.4.11 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.3.18 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 5.4.10 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 5.3.14 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-1824.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 5.3.12 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 5.4.5 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.4.0 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 5.3.17 |
| php | php | 4.4.3 |
| php | php | 5.3.20 |
| php | php | 5.2.15 |
| php | php | 5.4.2 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.15 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.3.7 |
| php | php | 5.3.11 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.4.6 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.3.8 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.3.9 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 5.4.8 |
| php | php | 4.3.6 |
| php | php | 5.3.10 |
| php | php | 5.3.5 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.4.9 |
| php | php | 5.1.3 |
| php | php | 5.3.19 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 5.4.1 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 4.1.2 |
| php | php | 5.3.16 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.4.3 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.4.12 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 5.3.6 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 5.3.13 |
| php | php | 5.4.11 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.3.18 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.3 |
| php | php | 5.4.10 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 5.3.14 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-611,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| apple | mac_os_x | * |
| redhat | enterprise_linux | 6.0 |
| redhat | enterprise_linux | 5 |
Heap-based buffer overflow in the php_quot_print_encode function in ext/standard/quot_print.c in PHP before 5.3.26 and 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted argument to the quoted_printable_encode function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 5.3.12 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 5.4.5 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.4.0 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.3.23 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.3.21 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 5.3.17 |
| php | php | 4.4.3 |
| php | php | 5.3.20 |
| php | php | 5.2.15 |
| php | php | 5.4.2 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.15 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.3.7 |
| php | php | 5.3.11 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.4.6 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.3.8 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.3.9 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 5.4.8 |
| php | php | 4.3.6 |
| php | php | 5.3.10 |
| php | php | 5.3.5 |
| php | php | 5.4.14 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.4.9 |
| php | php | 5.1.3 |
| php | php | 5.3.24 |
| php | php | 5.3.19 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 5.4.1 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 5.4.13 |
| php | php | 4.1.2 |
| php | php | 5.3.16 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.4.3 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.4.12 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 5.3.6 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 5.4.15 |
| php | php | 5.3.13 |
| php | php | 5.4.11 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.3.18 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.22 |
| php | php | 5.3.3 |
| php | php | 5.4.10 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 5.3.14 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
The Zend Engine in PHP before 5.4.16 RC1, and 5.5.0 before RC2, does not properly determine whether a parser error occurred, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted function definition, as demonstrated by an attack within a shared web-hosting environment. NOTE: the vendor's http://php.net/security-note.php page says "for critical security situations you should be using OS-level security by running multiple web servers each as their own user id.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.4.3 |
| php | php | 5.4.8 |
| php | php | 5.5.0 |
| php | php | 5.4.13 |
| php | php | 5.4.14 |
| php | php | 5.4.10 |
| php | php | 5.4.5 |
| php | php | * |
| php | php | 5.4.6 |
| php | php | 5.4.9 |
| php | php | 5.4.11 |
| php | php | 5.4.0 |
| php | php | 5.4.12 |
| php | php | 5.4.1 |
| php | php | 5.4.2 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.26 |
| php | php | 5.2.14 |
| canonical | ubuntu_linux | 13.04 |
| php | php | 5.3.12 |
| php | php | 5.4.13 |
| php | php | 5.3.25 |
| php | php | 5.4.5 |
| php | php | 5.4.16 |
| php | php | 5.3.2 |
| php | php | 5.3.16 |
| php | php | * |
| php | php | 5.1.0 |
| php | php | 5.4.0 |
| php | php | 5.2.3 |
| php | php | 5.2.13 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 5.2.16 |
| php | php | 5.3.23 |
| php | php | 5.4.3 |
| php | php | 5.0.3 |
| php | php | 5.3.21 |
| php | php | 5.2.10 |
| redhat | enterprise_linux | 5 |
| php | php | 5.0.1 |
| php | php | 5.3.17 |
| php | php | 5.2.4 |
| canonical | ubuntu_linux | 12.10 |
| php | php | 5.3.20 |
| php | php | 5.4.12 |
| php | php | 5.2.9 |
| php | php | 5.2.15 |
| php | php | 5.1.1 |
| php | php | 5.4.2 |
| php | php | 5.3.6 |
| php | php | 5.2.6 |
| php | php | 5.0.0 |
| php | php | 5.5.0 |
| php | php | 5.3.15 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.3.4 |
| php | php | 5.4.15 |
| php | php | 5.3.7 |
| php | php | 5.3.11 |
| php | php | 5.3.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.4.6 |
| php | php | 5.4.11 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.3.8 |
| php | php | 5.5.1 |
| php | php | 5.0.2 |
| php | php | 5.3.9 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| canonical | ubuntu_linux | 12.04 |
| php | php | 5.4.8 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.3.18 |
| php | php | 5.3.27 |
| php | php | 5.3.10 |
| php | php | 5.3.5 |
| php | php | 5.3.22 |
| php | php | 5.4.14 |
| php | php | 5.3.3 |
| php | php | 5.4.10 |
| canonical | ubuntu_linux | 10.04 |
| php | php | 5.4.9 |
| php | php | 5.1.3 |
| php | php | 5.0.4 |
| php | php | 5.3.24 |
| php | php | 5.3.14 |
| php | php | 5.3.19 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 5.4.1 |
| php | php | 5.2.17 |
| php | php | 5.3.1 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
Cross-site scripting (XSS) vulnerability in XHProf before 0.9.4 allows remote attackers to inject arbitrary web script or HTML via the run parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | xhprof | * |
| php | xhprof | 0.9.1 |
| php | xhprof | 0.9.0 |
| php | xhprof | 0.9.2 |
Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 5.3.12 |
| php | php | 1.0 |
| php | php | 3.0.12 |
| php | php | 5.4.5 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.4.0 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.3.23 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.3.21 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.0.1 |
| php | php | 5.3.17 |
| php | php | 4.4.3 |
| php | php | 5.3.20 |
| php | php | 5.2.15 |
| php | php | 5.4.2 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.3.15 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.3.7 |
| php | php | 5.3.11 |
| php | php | 3.0.13 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.4.6 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.3.8 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.3.9 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 5.4.8 |
| php | php | 4.3.6 |
| php | php | 5.3.10 |
| php | php | 5.3.5 |
| php | php | 5.4.14 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.4.9 |
| php | php | 5.1.3 |
| php | php | 5.3.24 |
| php | php | 5.3.19 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 5.4.1 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 5.4.13 |
| php | php | 4.1.2 |
| php | php | 5.3.16 |
| php | php | * |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.4.3 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 3.0.14 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.4.12 |
| php | php | 5.2.9 |
| php | php | 5.1.1 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 5.3.6 |
| php | php | 3.0.18 |
| php | php | 5.3.4 |
| php | php | 5.4.15 |
| php | php | 5.3.13 |
| php | php | 5.4.11 |
| php | php | 4.3.11 |
| php | php | 4.4.0 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.3.18 |
| php | php | 3.0.3 |
| php | php | 3.0.7 |
| php | php | 5.3.22 |
| php | php | 5.3.3 |
| php | php | 5.4.10 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 5.3.14 |
| php | php | 4.2.1 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
The mget function in libmagic/softmagic.c in the Fileinfo component in PHP 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via an MP3 file that triggers incorrect MIME type detection during access to an finfo object.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.4.3 |
| php | php | 5.4.8 |
| php | php | 5.4.13 |
| php | php | 5.4.15 |
| php | php | 5.4.14 |
| php | php | 5.4.10 |
| php | php | 5.4.5 |
| php | php | 5.4.6 |
| php | php | 5.4.9 |
| php | php | 5.4.11 |
| php | php | 5.4.0 |
| php | php | 5.4.12 |
| php | php | 5.4.1 |
| php | php | 5.4.2 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.3.26 |
| php | php | 5.3.12 |
| php | php | 5.4.13 |
| php | php | 5.3.25 |
| php | php | 5.4.5 |
| php | php | 5.4.16 |
| php | php | 5.3.2 |
| php | php | 5.3.16 |
| php | php | * |
| php | php | 5.4.0 |
| php | php | 5.4.19 |
| php | php | 5.5.3 |
| php | php | 5.3.23 |
| php | php | 5.4.3 |
| php | php | 5.5.4 |
| php | php | 5.3.21 |
| php | php | 5.4.18 |
| php | php | 5.5.2 |
| php | php | 5.3.17 |
| php | php | 5.3.20 |
| php | php | 5.4.12 |
| php | php | 5.5.6 |
| php | php | 5.4.2 |
| php | php | 5.5.5 |
| php | php | 5.3.6 |
| apple | mac_os_x | * |
| php | php | 5.5.0 |
| php | php | 5.3.15 |
| php | php | 5.3.0 |
| php | php | 5.3.4 |
| php | php | 5.4.15 |
| php | php | 5.3.7 |
| php | php | 5.3.11 |
| php | php | 5.3.13 |
| php | php | 5.4.6 |
| php | php | 5.4.11 |
| php | php | 5.3.8 |
| php | php | 5.5.1 |
| php | php | 5.3.9 |
| opensuse | opensuse | 12.3 |
| opensuse | opensuse | 12.2 |
| php | php | 5.4.8 |
| php | php | 5.4.17 |
| opensuse | opensuse | 13.1 |
| php | php | 5.3.18 |
| php | php | 5.3.10 |
| php | php | 5.3.5 |
| php | php | 5.3.22 |
| php | php | 5.4.14 |
| php | php | 5.4.22 |
| php | php | 5.3.3 |
| php | php | 5.4.10 |
| php | php | 5.4.9 |
| php | php | 5.3.24 |
| php | php | 5.3.14 |
| php | php | 5.3.19 |
| php | php | 5.4.20 |
| php | php | 5.4.21 |
| php | php | 5.4.1 |
| opensuse | opensuse | 11.4 |
| php | php | 5.3.1 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-74,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| suse | linux_enterprise_server | 11.0 |
The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 7.0 |
| opensuse | opensuse | 12.2 |
| apple | mac_os_x | * |
| canonical | ubuntu_linux | 12.04 |
| opensuse | opensuse | 13.1 |
| canonical | ubuntu_linux | 13.04 |
| canonical | ubuntu_linux | 10.04 |
| php | php | * |
| canonical | ubuntu_linux | 12.10 |
| canonical | ubuntu_linux | 13.10 |
| opensuse | opensuse | 11.4 |
| debian | debian_linux | 6.0 |
| opensuse | opensuse | 12.3 |
Integer overflow in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an imagecrop function call with a large x dimension value, leading to a heap-based buffer overflow.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.4 |
| php | php | 5.5.6 |
| php | php | 5.5.0 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.5 |
| php | php | 5.5.7 |
| php | php | 5.5.2 |
| php | php | 5.5.8 |
The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL pointer as a return value, a different vulnerability than CVE-2013-7226.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| php | php | 5.5.4 |
| php | php | 5.5.0 |
| php | php | 5.5.2 |
| canonical | ubuntu_linux | 10.04 |
| php | php | * |
| canonical | ubuntu_linux | 12.10 |
| canonical | ubuntu_linux | 13.10 |
| php | php | 5.5.6 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.5 |
| php | php | 5.5.7 |
Multiple integer signedness errors in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allow remote attackers to cause a denial of service (application crash) or obtain sensitive information via an imagecrop function call with a negative value for the (1) x or (2) y dimension, a different vulnerability than CVE-2013-7226.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.4 |
| php | php | 5.5.6 |
| php | php | 5.5.0 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.5 |
| php | php | 5.5.7 |
| php | php | 5.5.2 |
| php | php | 5.5.8 |
The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| debian | debian_linux | 8.0 |
| christos_zoulas | file | * |
| debian | debian_linux | 6.0 |
sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP before 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions for the UNIX socket, which allows local users to gain privileges via a crafted FastCGI client.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| debian | debian_linux | 8.0 |
| oracle | linux | 7 |
| opensuse | opensuse | 11.4 |
| christos_zoulas | file | * |
file before 5.18, as used in the Fileinfo component in PHP before 5.6.0, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a zero root_storage value in a CDF file, related to cdf.c and readcdf.c.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| debian | debian_linux | 8.0 |
The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| debian | debian_linux | 8.0 |
Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-755,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| fine_free_file_project | fine_free_file | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 12.10 |
| canonical | ubuntu_linux | 13.10 |
| canonical | ubuntu_linux | 10.04 |
| debian | debian_linux | 6.0 |
ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check data types, which might allow remote attackers to obtain sensitive information by using a (1) string or (2) array data type in place of a numeric data type, as demonstrated by an imagecrop function call with a string for the x dimension value, a different vulnerability than CVE-2013-7226.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 5.5.4 |
| php | php | 5.5.6 |
| php | php | 5.5.0 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.5 |
| php | php | 5.5.7 |
| php | php | 5.5.2 |
softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 12.04 |
| opensuse | opensuse | 13.1 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 10.04 |
| php | php | * |
| canonical | ubuntu_linux | 12.10 |
| canonical | ubuntu_linux | 13.10 |
| file_project | file | * |
| opensuse | opensuse | 11.4 |
| debian | debian_linux | 6.0 |
| opensuse | opensuse | 12.3 |
The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_eus | 7.5 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_server_tus | 6.5 |
| debian | debian_linux | 8.0 |
| redhat | enterprise_linux_eus | 7.4 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| redhat | enterprise_linux_eus | 7.3 |
| php | php | * |
| redhat | enterprise_linux_server_aus | 7.6 |
| oracle | solaris | 11.2 |
| redhat | enterprise_linux_server_aus | 6.5 |
| debian | debian_linux | 7.0 |
| redhat | enterprise_linux_server_aus | 7.3 |
| canonical | ubuntu_linux | 12.04 |
| redhat | enterprise_linux_eus | 6.5 |
| suse | linux_enterprise_server | 11 |
| redhat | enterprise_linux_workstation | 6.0 |
| redhat | enterprise_linux_server_tus | 7.6 |
| redhat | enterprise_linux_server_tus | 7.3 |
| redhat | enterprise_linux_eus | 7.6 |
| redhat | enterprise_linux_desktop | 6.0 |
| redhat | enterprise_linux_server_tus | 7.7 |
| canonical | ubuntu_linux | 14.04 |
| redhat | enterprise_linux_eus | 7.7 |
| canonical | ubuntu_linux | 16.04 |
| suse | linux_enterprise_software_development_kit | 11 |
| redhat | enterprise_linux_server | 6.0 |
| canonical | ubuntu_linux | 15.10 |
Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.4.13 |
| php | php | 5.4.26 |
| christos_zoulas | file | * |
| christos_zoulas | file | 5.10 |
| php | php | 5.4.5 |
| php | php | 5.4.16 |
| php | php | * |
| php | php | 5.5.13 |
| christos_zoulas | file | 5.02 |
| christos_zoulas | file | 5.11 |
| php | php | 5.4.0 |
| php | php | 5.4.19 |
| php | php | 5.5.3 |
| php | php | 5.5.11 |
| php | php | 5.4.3 |
| php | php | 5.5.4 |
| php | php | 5.4.18 |
| php | php | 5.5.2 |
| christos_zoulas | file | 5.07 |
| christos_zoulas | file | 5.12 |
| php | php | 5.4.12 |
| php | php | 5.5.6 |
| php | php | 5.4.2 |
| php | php | 5.5.5 |
| christos_zoulas | file | 5.04 |
| christos_zoulas | file | 5.03 |
| php | php | 5.5.0 |
| christos_zoulas | file | 5.16 |
| php | php | 5.4.15 |
| christos_zoulas | file | 5.05 |
| php | php | 5.5.8 |
| php | php | 5.4.25 |
| php | php | 5.4.6 |
| php | php | 5.4.11 |
| php | php | 5.4.23 |
| php | php | 5.5.1 |
| php | php | 5.5.7 |
| php | php | 5.4.28 |
| christos_zoulas | file | 5.06 |
| christos_zoulas | file | 5.09 |
| christos_zoulas | file | 5.00 |
| christos_zoulas | file | 5.14 |
| php | php | 5.4.8 |
| php | php | 5.4.17 |
| php | php | 5.5.9 |
| php | php | 5.5.12 |
| php | php | 5.4.27 |
| php | php | 5.4.14 |
| php | php | 5.4.22 |
| php | php | 5.4.10 |
| christos_zoulas | file | 5.13 |
| php | php | 5.4.9 |
| php | php | 5.4.20 |
| php | php | 5.4.21 |
| php | php | 5.5.10 |
| php | php | 5.4.24 |
| php | php | 5.4.1 |
| christos_zoulas | file | 5.01 |
| christos_zoulas | file | 5.08 |
| christos_zoulas | file | 5.17 |
| christos_zoulas | file | 5.15 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| debian | debian_linux | 8.0 |
| oracle | linux | 7 |
| file_project | file | * |
| opensuse | opensuse | 11.4 |
The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| debian | debian_linux | 8.0 |
| oracle | linux | 7 |
| file_project | file | * |
| opensuse | opensuse | 11.4 |
The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| debian | debian_linux | 8.0 |
| oracle | linux | 7 |
| file_project | file | * |
| opensuse | opensuse | 11.4 |
The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| debian | debian_linux | 8.0 |
file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 7.0 |
| christos_zoulas | file | 5.03 |
| christos_zoulas | file | 5.06 |
| christos_zoulas | file | 5.09 |
| christos_zoulas | file | 5.00 |
| christos_zoulas | file | 5.14 |
| debian | debian_linux | 8.0 |
| christos_zoulas | file | 5.16 |
| christos_zoulas | file | 5.05 |
| christos_zoulas | file | * |
| christos_zoulas | file | 5.07 |
| christos_zoulas | file | 5.10 |
| christos_zoulas | file | 5.12 |
| php | php | * |
| christos_zoulas | file | 5.13 |
| christos_zoulas | file | 5.02 |
| christos_zoulas | file | 5.11 |
| christos_zoulas | file | 5.04 |
| christos_zoulas | file | 5.01 |
| christos_zoulas | file | 5.08 |
| christos_zoulas | file | 5.17 |
| christos_zoulas | file | 5.15 |
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.4.13 |
| php | php | 5.4.26 |
| christos_zoulas | file | 5.18 |
| christos_zoulas | file | * |
| christos_zoulas | file | 5.10 |
| php | php | 5.4.5 |
| php | php | 5.4.16 |
| php | php | * |
| php | php | 5.5.13 |
| christos_zoulas | file | 5.02 |
| christos_zoulas | file | 5.11 |
| php | php | 5.4.0 |
| php | php | 5.4.19 |
| php | php | 5.5.3 |
| php | php | 5.5.11 |
| php | php | 5.4.3 |
| php | php | 5.5.4 |
| php | php | 5.4.18 |
| php | php | 5.5.2 |
| php | php | 5.5.14 |
| christos_zoulas | file | 5.07 |
| christos_zoulas | file | 5.12 |
| php | php | 5.4.12 |
| php | php | 5.5.6 |
| php | php | 5.4.2 |
| php | php | 5.5.5 |
| christos_zoulas | file | 5.04 |
| christos_zoulas | file | 5.03 |
| php | php | 5.5.0 |
| christos_zoulas | file | 5.16 |
| php | php | 5.4.15 |
| christos_zoulas | file | 5.05 |
| php | php | 5.5.8 |
| php | php | 5.4.25 |
| php | php | 5.4.6 |
| php | php | 5.4.11 |
| php | php | 5.4.23 |
| php | php | 5.5.1 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.4.28 |
| christos_zoulas | file | 5.06 |
| christos_zoulas | file | 5.09 |
| christos_zoulas | file | 5.00 |
| christos_zoulas | file | 5.14 |
| php | php | 5.4.8 |
| php | php | 5.4.17 |
| php | php | 5.5.9 |
| php | php | 5.5.12 |
| php | php | 5.4.27 |
| php | php | 5.4.14 |
| php | php | 5.4.22 |
| php | php | 5.4.10 |
| php | php | 5.4.29 |
| christos_zoulas | file | 5.13 |
| php | php | 5.4.9 |
| php | php | 5.4.20 |
| php | php | 5.4.21 |
| php | php | 5.4.30 |
| php | php | 5.5.10 |
| php | php | 5.4.24 |
| php | php | 5.4.1 |
| christos_zoulas | file | 5.01 |
| christos_zoulas | file | 5.08 |
| christos_zoulas | file | 5.17 |
| christos_zoulas | file | 5.15 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.4.13 |
| php | php | 5.4.26 |
| php | php | 5.4.5 |
| php | php | 5.4.16 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.4.0 |
| php | php | 5.4.19 |
| php | php | 5.5.3 |
| php | php | 5.5.11 |
| php | php | 5.4.3 |
| php | php | 5.5.4 |
| php | php | 5.4.18 |
| php | php | 5.5.2 |
| php | php | 5.5.14 |
| php | php | 5.4.12 |
| php | php | 5.5.6 |
| php | php | 5.4.2 |
| php | php | 5.5.5 |
| php | php | 5.5.0 |
| php | php | 5.4.15 |
| php | php | 5.5.8 |
| php | php | 5.4.25 |
| php | php | 5.4.6 |
| php | php | 5.4.11 |
| php | php | 5.4.23 |
| php | php | 5.5.1 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.4.28 |
| php | php | 5.4.8 |
| php | php | 5.4.17 |
| php | php | 5.5.9 |
| php | php | 5.5.12 |
| php | php | 5.4.27 |
| php | php | 5.4.14 |
| php | php | 5.4.22 |
| php | php | 5.4.10 |
| php | php | 5.4.29 |
| php | php | 5.4.9 |
| php | php | 5.4.20 |
| php | php | 5.4.21 |
| php | php | 5.4.30 |
| php | php | 5.5.10 |
| php | php | 5.4.24 |
| php | php | 5.4.1 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument to the xmlrpc_set_type function or (2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds read operation.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.4.32 |
| php | php | 5.6.0 |
| php | php | 5.4.13 |
| php | php | 5.4.26 |
| php | php | 5.4.5 |
| php | php | 5.4.16 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.4.0 |
| php | php | 5.4.19 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.4.31 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.4.3 |
| php | php | 5.5.4 |
| php | php | 5.4.18 |
| php | php | 5.5.2 |
| php | php | 5.5.14 |
| php | php | 5.4.12 |
| php | php | 5.5.6 |
| php | php | 5.4.2 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.5.0 |
| php | php | 5.4.15 |
| php | php | 5.5.8 |
| php | php | 5.4.25 |
| php | php | 5.4.6 |
| php | php | 5.4.11 |
| php | php | 5.4.23 |
| php | php | 5.5.1 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.4.28 |
| php | php | 5.4.8 |
| php | php | 5.4.17 |
| php | php | 5.5.9 |
| php | php | 5.5.12 |
| php | php | 5.4.27 |
| php | php | 5.4.14 |
| php | php | 5.4.22 |
| php | php | 5.4.10 |
| php | php | 5.4.29 |
| php | php | 5.4.9 |
| php | php | 5.4.20 |
| php | php | 5.4.21 |
| php | php | 5.4.30 |
| php | php | 5.5.10 |
| php | php | 5.4.24 |
| php | php | 5.4.1 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.4.32 |
| php | php | 5.6.0 |
| php | php | 5.4.13 |
| php | php | 5.4.26 |
| php | php | 5.4.5 |
| php | php | 5.4.16 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.4.0 |
| php | php | 5.4.19 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.4.31 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.4.3 |
| php | php | 5.5.4 |
| php | php | 5.4.18 |
| php | php | 5.5.2 |
| php | php | 5.5.14 |
| php | php | 5.4.12 |
| php | php | 5.5.6 |
| php | php | 5.4.2 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.5.0 |
| php | php | 5.4.15 |
| php | php | 5.5.8 |
| php | php | 5.4.25 |
| php | php | 5.4.6 |
| php | php | 5.4.11 |
| php | php | 5.4.23 |
| php | php | 5.5.1 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.4.28 |
| php | php | 5.4.8 |
| php | php | 5.4.17 |
| php | php | 5.5.9 |
| php | php | 5.5.12 |
| php | php | 5.4.27 |
| php | php | 5.4.14 |
| php | php | 5.4.22 |
| php | php | 5.4.10 |
| php | php | 5.4.29 |
| php | php | 5.4.9 |
| php | php | 5.4.20 |
| php | php | 5.4.21 |
| php | php | 5.4.30 |
| php | php | 5.5.10 |
| php | php | 5.4.24 |
| php | php | 5.4.1 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted JPEG image with TIFF thumbnail data that is improperly handled by the exif_thumbnail function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.4.32 |
| php | php | 5.6.0 |
| php | php | 5.4.13 |
| php | php | 5.4.26 |
| php | php | 5.4.5 |
| php | php | 5.4.16 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.4.0 |
| php | php | 5.4.19 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.4.31 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.4.3 |
| php | php | 5.5.4 |
| php | php | 5.4.18 |
| php | php | 5.5.2 |
| php | php | 5.5.14 |
| php | php | 5.4.12 |
| php | php | 5.5.6 |
| php | php | 5.4.2 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.5.0 |
| php | php | 5.4.15 |
| php | php | 5.5.8 |
| php | php | 5.4.25 |
| php | php | 5.4.6 |
| php | php | 5.4.11 |
| php | php | 5.4.23 |
| php | php | 5.5.1 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.4.28 |
| php | php | 5.4.8 |
| php | php | 5.4.17 |
| php | php | 5.5.9 |
| php | php | 5.5.12 |
| php | php | 5.4.27 |
| php | php | 5.4.14 |
| php | php | 5.4.22 |
| php | php | 5.4.10 |
| php | php | 5.4.29 |
| php | php | 5.4.9 |
| php | php | 5.4.20 |
| php | php | 5.4.21 |
| php | php | 5.4.30 |
| php | php | 5.5.10 |
| php | php | 5.4.24 |
| php | php | 5.4.1 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 14.10 |
| canonical | ubuntu_linux | 10.04 |
acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.
CVSS 2.0
Severity: LOW
Problem Type: CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| php | php | 5.6.0 |
| debian | debian_linux | 8.0 |
| opensuse | opensuse | 11.3 |
Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.0 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.6 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.7 |
| php | php | 5.5.11 |
Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| debian | debian_linux | 8.0 |
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.4.13 |
| php | php | 5.4.26 |
| php | php | 5.4.5 |
| php | php | 5.4.16 |
| php | php | 5.5.13 |
| php | php | 5.4.0 |
| php | php | 5.4.19 |
| php | php | 5.5.3 |
| php | php | 5.4.31 |
| php | php | 5.5.11 |
| php | php | 5.4.3 |
| php | php | 5.5.4 |
| php | php | 5.4.18 |
| php | php | 5.5.2 |
| php | php | 5.5.14 |
| php | php | 5.4.12 |
| php | php | 5.5.6 |
| php | php | 5.4.2 |
| php | php | 5.5.5 |
| php | php | 5.5.0 |
| php | php | 5.4.15 |
| php | php | 5.5.8 |
| php | php | 5.4.25 |
| php | php | 5.4.6 |
| php | php | 5.4.11 |
| php | php | 5.4.23 |
| php | php | 5.5.1 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.4.28 |
| php | php | 5.4.8 |
| php | php | 5.4.17 |
| php | php | 5.5.9 |
| php | php | 5.5.12 |
| php | php | 5.4.27 |
| php | php | 5.4.14 |
| php | php | 5.4.22 |
| php | php | 5.4.10 |
| php | php | 5.4.29 |
| php | php | 5.4.9 |
| php | php | 5.4.20 |
| php | php | 5.4.21 |
| php | php | 5.4.30 |
| php | php | 5.5.10 |
| php | php | 5.4.24 |
| php | php | 5.4.1 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions.
CVSS 2.0
Severity: LOW
Problem Type: CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| opensuse | opensuse | 13.1 |
| opensuse | evergreen | 11.4 |
| oracle | solaris | 11.2 |
| opensuse | opensuse | 12.3 |
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.2 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 5.2.4 |
| php | php | 5.2.3 |
| php | php | 5.2.1 |
| php | php | 5.2.0 |
| php | php | 5.2.2 |
| php | php | 5.2.5 |
Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| apple | mac_os_x | * |
The apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempts to perform a free operation on a stack-based character array, which allows remote attackers to cause a denial of service (memory corruption or application crash) or possibly have unspecified other impact via unknown vectors. NOTE: this is disputed by the vendor because the standard erealloc behavior makes the free operation unreachable
CVSS 2.0
Severity: HIGH
Problem Type: CWE-17,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.19 |
| php | php | 4.3.4 |
| php | php | 3.0.6 |
| php | php | 4.3.5 |
| php | php | 5.2.14 |
| php | php | 5.3.12 |
| php | php | 1.0 |
| php | php | 5.4.26 |
| php | php | 5.3.28 |
| php | php | 3.0.12 |
| php | php | 4.2.2 |
| php | php | 5.3.2 |
| php | php | 3.0.9 |
| php | php | 5.1.0 |
| php | php | 3.0.2 |
| php | php | 5.4.0 |
| php | php | 5.2.13 |
| php | php | 5.2.16 |
| php | php | 5.3.23 |
| php | php | 5.5.11 |
| php | php | 5.0.3 |
| php | php | 4.0.0 |
| php | php | 5.3.21 |
| php | php | 5.2.10 |
| php | php | 4.4.6 |
| php | php | 5.5.14 |
| php | php | 5.0.1 |
| php | php | 5.3.17 |
| php | php | 4.4.3 |
| php | php | 5.3.20 |
| php | php | 5.2.15 |
| php | php | 5.4.2 |
| php | php | 3.0.4 |
| php | php | 5.2.6 |
| php | php | 3.0.1 |
| php | php | 4.1.1 |
| php | php | 5.0.0 |
| php | php | 5.5.0 |
| php | php | 5.3.15 |
| php | php | 5.3.0 |
| php | php | 5.2.2 |
| php | php | 5.4.34 |
| php | php | 5.3.7 |
| php | php | 5.3.11 |
| php | php | 3.0.13 |
| php | php | 5.4.25 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.3.8 |
| php | php | 5.5.1 |
| php | php | 4.1.0 |
| php | php | 5.0.2 |
| php | php | 5.4.28 |
| php | php | 5.3.9 |
| php | php | 5.2.7 |
| php | php | 5.2.5 |
| php | php | 4.2.3 |
| php | php | 3.0 |
| php | php | 3.0.5 |
| php | php | 4.3.6 |
| php | php | 5.4.17 |
| php | php | 5.5.9 |
| php | php | 5.3.10 |
| php | php | 5.5.12 |
| php | php | 5.3.5 |
| php | php | 5.4.14 |
| php | php | 5.4.22 |
| php | php | 4.3.10 |
| php | php | 4.0.7 |
| php | php | 4.4.7 |
| php | php | 4.4.9 |
| php | php | 4.3.0 |
| php | php | 5.1.3 |
| php | php | 5.3.24 |
| php | php | 5.3.19 |
| php | php | 5.4.20 |
| php | php | 5.4.21 |
| php | php | 5.4.30 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 4.4.5 |
| php | php | 5.4.1 |
| php | php | 4.0.6 |
| php | php | 5.3.1 |
| php | php | 3.0.11 |
| php | php | 4.3.8 |
| php | php | 5.3.26 |
| php | php | 4.0.5 |
| php | php | 3.0.16 |
| php | php | 3.0.17 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.4.13 |
| php | php | 5.3.25 |
| php | php | 5.4.16 |
| php | php | 4.1.2 |
| php | php | 5.3.16 |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.2.3 |
| php | php | 2.0 |
| php | php | 5.4.19 |
| php | php | 5.5.3 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 4.0.2 |
| php | php | 5.4.3 |
| php | php | 5.5.4 |
| php | php | 2.0b10 |
| php | php | 4.3.2 |
| php | php | 5.4.18 |
| php | php | 3.0.14 |
| php | php | 5.5.2 |
| php | php | 4.4.1 |
| php | php | 4.4.2 |
| php | php | 4.3.3 |
| php | php | 3.0.10 |
| php | php | 4.4.4 |
| php | php | 5.6.2 |
| php | php | 3.0.15 |
| php | php | 5.2.4 |
| php | php | 3.0.8 |
| php | php | 5.4.12 |
| php | php | 5.2.9 |
| php | php | 5.5.6 |
| php | php | 5.1.1 |
| php | php | 5.4.36 |
| php | php | 5.5.5 |
| php | php | 4.0.4 |
| php | php | 4.3.9 |
| php | php | 5.3.6 |
| php | php | 3.0.18 |
| php | php | 5.6.4 |
| php | php | 5.5.18 |
| php | php | 5.3.4 |
| php | php | 5.4.15 |
| php | php | 5.5.8 |
| php | php | 5.3.13 |
| php | php | 5.4.11 |
| php | php | 4.3.11 |
| php | php | 5.4.23 |
| php | php | 4.4.0 |
| php | php | 5.5.7 |
| php | php | 4.0.1 |
| php | php | 4.3.7 |
| php | php | 4.0 |
| php | php | 4.2.0 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.3.18 |
| php | php | 5.3.27 |
| php | php | 3.0.3 |
| php | php | 5.4.27 |
| php | php | 3.0.7 |
| php | php | 5.3.22 |
| php | php | 5.3.3 |
| php | php | 5.4.10 |
| php | php | 5.4.29 |
| php | php | 5.4.35 |
| php | php | 4.0.3 |
| php | php | 5.0.4 |
| php | php | 5.3.14 |
| php | php | 4.2.1 |
| php | php | 5.5.10 |
| php | php | 5.4.24 |
| php | php | 4.3.1 |
| php | php | 5.2.17 |
| php | php | 4.4.8 |
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| file_project | file | * |
| php | php | 5.5.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.2 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| file_project | file | * |
| php | php | 5.5.7 |
| php | php | 5.5.11 |
| debian | debian_linux | 7.0 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.2 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| libgd | libgd | * |
| opensuse | opensuse | 13.1 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| opensuse | opensuse | 13.2 |
| canonical | ubuntu_linux | 15.10 |
Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| hiphop_virtual_machine_for_php_project | hiphop_virtual_machine_for_php | * |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.6.10 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.28 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.27 |
| php | php | 5.5.26 |
The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.0 |
| php | php | 5.4.13 |
| php | php | 5.4.15 |
| php | php | 5.4.26 |
| php | php | 5.5.8 |
| php | php | 5.4.5 |
| php | php | 5.4.16 |
| php | php | 5.4.25 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.4.6 |
| php | php | 5.4.11 |
| php | php | 5.4.0 |
| php | php | 5.4.19 |
| php | php | 5.4.23 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.7 |
| php | php | 5.4.28 |
| php | php | 5.5.11 |
| php | php | 5.4.3 |
| php | php | 5.4.8 |
| php | php | 5.5.4 |
| php | php | 5.4.17 |
| php | php | 5.5.9 |
| php | php | 5.4.18 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.4.27 |
| php | php | 5.4.14 |
| php | php | 5.4.22 |
| php | php | 5.4.10 |
| php | php | 5.4.29 |
| php | php | 5.4.9 |
| php | php | 5.4.12 |
| php | php | 5.5.6 |
| php | php | 5.4.20 |
| php | php | 5.4.21 |
| php | php | 5.5.10 |
| php | php | 5.4.24 |
| php | php | 5.4.1 |
| php | php | 5.4.2 |
| php | php | 5.5.5 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.4.13 |
| php | php | 5.4.26 |
| php | php | 5.4.5 |
| php | php | 5.4.16 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.4.0 |
| php | php | 5.4.19 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.4.3 |
| php | php | 5.5.4 |
| php | php | 5.4.18 |
| php | php | 5.5.2 |
| php | php | 5.5.14 |
| php | php | 5.6.2 |
| php | php | 5.4.12 |
| php | php | 5.5.6 |
| php | php | 5.4.2 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.6.4 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.4.15 |
| php | php | 5.4.34 |
| php | php | 5.5.8 |
| php | php | 5.4.25 |
| php | php | 5.4.6 |
| php | php | 5.4.11 |
| php | php | 5.4.23 |
| php | php | 5.5.1 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.4.28 |
| php | php | 5.4.8 |
| php | php | 5.4.17 |
| php | php | 5.5.9 |
| php | php | 5.5.12 |
| php | php | 5.4.27 |
| php | php | 5.4.14 |
| php | php | 5.4.22 |
| php | php | 5.4.10 |
| php | php | 5.4.29 |
| php | php | 5.4.9 |
| php | php | 5.4.35 |
| php | php | 5.4.20 |
| php | php | 5.4.21 |
| php | php | 5.4.30 |
| php | php | 5.5.10 |
| php | php | 5.4.24 |
| php | php | 5.4.1 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.4.13 |
| php | php | 5.4.26 |
| php | php | 5.4.5 |
| php | php | 5.4.16 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.4.0 |
| php | php | 5.4.19 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.4.3 |
| php | php | 5.5.4 |
| php | php | 5.4.18 |
| php | php | 5.5.2 |
| php | php | 5.5.14 |
| php | php | 5.6.2 |
| php | php | 5.4.12 |
| php | php | 5.5.6 |
| php | php | 5.4.2 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.6.4 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.4.15 |
| php | php | 5.4.34 |
| php | php | 5.5.8 |
| php | php | 5.4.25 |
| php | php | 5.4.6 |
| php | php | 5.4.11 |
| php | php | 5.4.23 |
| php | php | 5.5.1 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.4.28 |
| php | php | 5.4.8 |
| php | php | 5.4.17 |
| php | php | 5.5.9 |
| php | php | 5.5.12 |
| php | php | 5.4.27 |
| php | php | 5.4.14 |
| php | php | 5.4.22 |
| php | php | 5.4.10 |
| php | php | 5.4.29 |
| php | php | 5.4.9 |
| php | php | 5.4.35 |
| php | php | 5.4.20 |
| php | php | 5.4.21 |
| php | php | 5.4.30 |
| php | php | 5.5.10 |
| php | php | 5.4.24 |
| php | php | 5.4.1 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_lsms | 13.1 |
| apple | mac_os_x | * |
| debian | debian_linux | 8.0 |
| oracle | communications_session_border_controller | * |
| oracle | communications_eagle_lnp_application_processor | 10.0 |
| oracle | communications_policy_management | 9.9.1 |
| oracle | communications_policy_management | 12.1.1 |
| oracle | communications_user_data_repository | * |
| php | php | * |
| ibm | security_access_manager_for_enterprise_single_sign-on | 8.2 |
| oracle | communications_session_border_controller | 7.2.0 |
| oracle | communications_application_session_controller | * |
| oracle | communications_webrtc_session_controller | 7.0 |
| ibm | pureapplication_system | 1.0.0.0 |
| oracle | communications_policy_management | 10.4.1 |
| oracle | communications_webrtc_session_controller | 7.1 |
| debian | debian_linux | 7.0 |
| gnu | glibc | * |
| ibm | pureapplication_system | 2.0.0.0 |
| oracle | vm_virtualbox | * |
| ibm | pureapplication_system | 1.1.0.0 |
| oracle | linux | 7 |
| redhat | virtualization | 6.0 |
| oracle | communications_eagle_application_processor | 16.0 |
| oracle | communications_policy_management | 11.5 |
| oracle | communications_session_border_controller | 8.0.0 |
| oracle | exalogic_infrastructure | 2.0 |
| oracle | communications_webrtc_session_controller | 7.2 |
| oracle | exalogic_infrastructure | 1.0 |
| oracle | communications_policy_management | 9.7.3 |
| oracle | linux | 5 |
Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allow remote attackers to execute arbitrary code via crafted serialized input containing a (1) R or (2) r type specifier in (a) DateTimeZone data handled by the php_date_timezone_initialize_from_hash function or (b) DateTime data handled by the php_date_initialize_from_hash function.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
Use-after-free vulnerability in the _zend_shared_memdup function in zend_shared_alloc.c in the OPcache extension in PHP through 5.6.7 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| apple | mac_os_x | * |
| oracle | linux | 6 |
| oracle | linux | 7 |
| oracle | solaris | 11.2 |
| oracle | secure_backup | * |
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate token extraction for table names, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted name.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| apple | mac_os_x | * |
Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 7.0 |
| apple | mac_os_x | * |
| canonical | ubuntu_linux | 12.04 |
| redhat | enterprise_linux_desktop | 7.0 |
| opensuse | opensuse | 13.1 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| canonical | ubuntu_linux | 14.10 |
| canonical | ubuntu_linux | 10.04 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| canonical | ubuntu_linux | 14.04 |
| opensuse | opensuse | 13.2 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| opensuse | opensuse | 13.1 |
| debian | debian_linux | 8.0 |
| rxspencer_project | rxspencer | 3.8.g5 |
| opensuse | opensuse | 13.2 |
| canonical | ubuntu_linux | 14.10 |
| canonical | ubuntu_linux | 10.04 |
| canonical | ubuntu_linux | 15.04 |
The compile_branch function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code, cause a denial of service (out-of-bounds heap read and crash), or possibly have other unspecified impact via a regular expression with a group containing a forward reference repeated a large number of times within a repeated outer group that has a zero minimum quantifier.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| mariadb | mariadb | * |
| opensuse | opensuse | 13.1 |
| pcre | pcre | * |
| opensuse | opensuse | 13.2 |
The pcre_compile2 function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code and cause a denial of service (out-of-bounds read) via regular expression with a group containing both a forward referencing subroutine call and a recursive back reference, as demonstrated by "((?+1)(\1))/".
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| mariadb | mariadb | * |
| opensuse | opensuse | 13.1 |
| pcre | pcre | * |
| opensuse | opensuse | 13.2 |
Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| opensuse | opensuse | 13.2 |
| php | php | 5.5.7 |
| php | php | 5.5.11 |
| debian | debian_linux | 7.0 |
| php | php | 5.6.1 |
| fedoraproject | fedora | 22 |
| php | php | 5.5.4 |
| opensuse | opensuse | 13.1 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| nih | libzip | * |
The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| opensuse | opensuse | 13.2 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| opensuse | opensuse | 13.1 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read and application crash) via a crafted length value in conjunction with crafted serialized data in a phar archive, related to the phar_parse_metadata and phar_parse_pharfile functions.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| apple | mac_os_x | 10.10.3 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| opensuse | opensuse | 13.2 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| opensuse | opensuse | 13.1 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| apple | mac_os_x | 10.10.4 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| apple | mac_os_x | 10.9.5 |
| php | php | 5.6.6 |
| apple | mac_os_x | 10.10.0 |
| apple | mac_os_x | 10.10.1 |
| apple | mac_os_x | 10.10.2 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N | 2.2 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-295,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_eus | 7.5 |
| redhat | enterprise_linux_server_aus | 7.7 |
| redhat | enterprise_linux_desktop | 7.0 |
| mariadb | mariadb | * |
| debian | debian_linux | 8.0 |
| redhat | enterprise_linux_eus | 7.2 |
| redhat | enterprise_linux_eus | 7.4 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| redhat | enterprise_linux_eus | 7.1 |
| redhat | enterprise_linux_eus | 7.3 |
| php | php | * |
| oracle | mysql | * |
| redhat | enterprise_linux_server_aus | 7.6 |
| fedoraproject | fedora | 21 |
| oracle | mysql_connector/c | * |
| fedoraproject | fedora | 22 |
| redhat | enterprise_linux_server_aus | 7.3 |
| redhat | enterprise_linux_server_tus | 7.6 |
| redhat | enterprise_linux_server_tus | 7.3 |
| redhat | enterprise_linux_eus | 7.6 |
| redhat | enterprise_linux_server_tus | 7.7 |
| redhat | enterprise_linux_eus | 7.7 |
| redhat | enterprise_linux_server_aus | 7.4 |
The phar_parse_metadata function in ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (heap metadata corruption) or possibly have unspecified other impact via a crafted tar archive.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
Multiple stack-based buffer overflows in the phar_set_inode function in phar_internal.h in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allow remote attackers to execute arbitrary code via a crafted length value in a (1) tar, (2) phar, or (3) ZIP archive.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| apple | mac_os_x | 10.10.3 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.7 |
| oracle | solaris | 11.2 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| oracle | linux | 6 |
| oracle | linux | 7 |
| apple | mac_os_x | 10.10.4 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| apple | mac_os_x | 10.9.5 |
| php | php | 5.6.6 |
| apple | mac_os_x | 10.10.0 |
| apple | mac_os_x | 10.10.1 |
| redhat | enterprise_linux | 6.0 |
| apple | mac_os_x | 10.10.2 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, when the Apache HTTP Server 2.4.x is used, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via pipelined HTTP requests that result in a "deconfigured interpreter."
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.7 |
| oracle | solaris | 11.2 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| oracle | linux | 6 |
| oracle | linux | 7 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that bypasses an intended configuration in which client users may read only .xml files.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,CWE-254,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-908,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| sqlite | sqlite | * |
| canonical | ubuntu_linux | 12.04 |
| apple | mac_os_x | 10.10.5 |
| apple | watchos | 1.0.1 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 15.04 |
The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-404,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| sqlite | sqlite | * |
| canonical | ubuntu_linux | 12.04 |
| apple | mac_os_x | 10.10.5 |
| apple | watchos | 1.0.1 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 15.04 |
The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| sqlite | sqlite | * |
| apple | mac_os_x | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| apple | watchos | * |
| canonical | ubuntu_linux | 15.04 |
The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first character of a filename is different from the \0 character, which allows remote attackers to cause a denial of service (integer underflow and memory corruption) via a crafted entry in a tar archive.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.4.39 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.4.39 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote attackers to cause a denial of service (CPU consumption) via crafted form data that triggers an improper order-of-growth outcome.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.7 |
| oracle | solaris | 11.2 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| oracle | linux | 6 |
| oracle | linux | 7 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.4.39 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| hp | system_management_homepage | * |
PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character in certain situations, which allows remote attackers to bypass intended extension restrictions and access files or directories with unexpected names via a crafted argument to (1) set_include_path, (2) tempnam, (3) rmdir, or (4) readlink. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-19,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.4.39 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-19,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.4.39 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.1 |
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.8 |
| opensuse | leap | 42.1 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | * |
| php | php | 5.6.6 |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.7 |
The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that __default_headers is an array, which allows remote attackers to execute arbitrary code by providing crafted serialized data with an unexpected data type, related to a "type confusion" issue.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-19,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.5.11 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.5.11 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may write to only .html files.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| php | php | 5.5.25 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
The SoapFault::__toString method in ext/soap/soap.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information, cause a denial of service (application crash), or possibly execute arbitrary code via an unexpected data type, related to a "type confusion" issue.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
The SoapClient implementation in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to "type confusion" issues in the (1) SoapClient::__getLastRequest, (2) SoapClient::__getLastResponse, (3) SoapClient::__getLastRequestHeaders, (4) SoapClient::__getLastResponseHeaders, (5) SoapClient::__getCookies, and (6) SoapClient::__setCookie methods.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
PHP before 5.6.7 might allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to "type confusion" issues in (1) ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3) ext/soap/soap.c, a different issue than CVE-2015-4600.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| redhat | enterprise_linux_hpc_node | 7.0 |
The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to a "type confusion" issue.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
The exception::getTraceAsString function in Zend/zend_exceptions.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to execute arbitrary code via an unexpected data type, related to a "type confusion" issue.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
The mget function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly maintain a certain pointer relationship, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string that is mishandled by a "Python script text executable" rule.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly restrict a certain offset value, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string that is mishandled by a "Python script text executable" rule.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| redhat | enterprise_linux_desktop | 7.0 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| redhat | enterprise_linux_hpc_node | 7.0 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_hpc_node_eus | 7.1 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
The escapeshellarg function in ext/standard/exec.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 on Windows allows remote attackers to execute arbitrary OS commands via a crafted string to an application that accepts command-line arguments for a call to the PHP system function.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4022.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_desktop | 7.0 |
| debian | debian_linux | 8.0 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| php | php | * |
| redhat | enterprise_linux_server_aus | 7.6 |
| redhat | enterprise_linux_server_eus | 7.1 |
| redhat | enterprise_linux_server_eus | 7.2 |
| debian | debian_linux | 7.0 |
| redhat | enterprise_linux_server_aus | 7.3 |
| redhat | enterprise_linux_server_eus | 7.5 |
| redhat | enterprise_linux_server_tus | 6.6 |
| oracle | linux | 6 |
| oracle | linux | 7 |
| redhat | enterprise_linux_server_aus | 6.6 |
| redhat | enterprise_linux_server_eus | 7.6 |
| redhat | enterprise_linux_workstation | 6.0 |
| redhat | enterprise_linux_server_tus | 7.6 |
| redhat | enterprise_linux_server_eus | 7.4 |
| redhat | enterprise_linux_server_tus | 7.3 |
| redhat | enterprise_linux_server_eus | 7.3 |
| redhat | enterprise_linux_server_eus | 6.6 |
| redhat | enterprise_linux_desktop | 6.0 |
| redhat | enterprise_linux_server | 6.0 |
| redhat | enterprise_linux_server_aus | 7.4 |
The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extraction for table names, which might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1352.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| redhat | enterprise_linux | 7.0 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| redhat | enterprise_linux | 6.0 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
The phar_convert_to_other function in ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 does not validate a file pointer before a close operation, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted TAR archive that is mishandled in a Phar::convertToData call.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.6.10 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.5.26 |
Stack-based buffer overflow in the phar_fix_filepath function in ext/phar/phar.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large length value, as demonstrated by mishandling of an e-mail attachment by the imap PHP extension.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.6.10 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.26 |
The php_str_replace_in_subject function in ext/standard/string.c in PHP 7.x before 7.0.0 allows remote attackers to execute arbitrary code via a crafted value in the third argument to the str_ireplace function.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 3.9 | 3.4 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.0 |
Multiple use-after-free vulnerabilities in SPL in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allow remote attackers to execute arbitrary code via vectors involving (1) ArrayObject, (2) SplObjectStorage, and (3) SplDoublyLinkedList, which are mishandled during unserialization.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 3.9 | 3.4 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| debian | debian_linux | 8.0 |
Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute arbitrary code via crafted serialized data that triggers misuse of an array field.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.6.10 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.27 |
| php | php | 5.5.26 |
Directory traversal vulnerability in the PharData class in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to write to arbitrary files via a .. (dot dot) in a ZIP archive entry that is mishandled during an extractTo call.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.6.10 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.27 |
| php | php | 5.5.26 |
Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.6.10 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.28 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.5.27 |
| php | php | 5.5.26 |
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.6.10 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.28 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.5.27 |
| php | php | 5.5.26 |
The SoapClient __call method in ext/soap/soap.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 does not properly manage headers, which allows remote attackers to execute arbitrary code via crafted serialized data that triggers a "type confusion" in the serialize_function_call function.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.6.10 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.28 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.27 |
| php | php | 5.5.26 |
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during initial error checking, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.6.10 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.28 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.5.27 |
| xmlsoft | libxml2 | * |
| php | php | 5.5.26 |
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.6.10 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.28 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.5.27 |
| xmlsoft | libxml2 | * |
| php | php | 5.5.26 |
The phar_get_entry_data function in ext/phar/util.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a .phar file with a crafted TAR archive entry in which the Link indicator references a file that does not exist.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | * |
| php | php | 5.6.6 |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.7 |
Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (uninitialized pointer dereference and application crash) by including the / filename in a .zip PHAR archive.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | * |
| php | php | 5.6.6 |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.7 |
PCRE before 8.38 mishandles certain repeated conditional groups, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| fedoraproject | fedora | 22 |
| pcre | perl_compatible_regular_expression_library | * |
PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| fedoraproject | fedora | 22 |
| pcre | perl_compatible_regular_expression_library | * |
| oracle | linux | 7 |
PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 3.9 | 3.4 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| fedoraproject | fedora | 22 |
| pcre | perl_compatible_regular_expression_library | * |
PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related patterns, which allows remote attackers to cause a denial of service (infinite recursion) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,CWE-185,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| fedoraproject | fedora | 22 |
| pcre | perl_compatible_regular_expression_library | * |
PCRE before 8.38 mishandles the [: and \\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-908,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| fedoraproject | fedora | 22 |
| pcre | perl_compatible_regular_expression_library | * |
The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_eus | 7.5 |
| fedoraproject | fedora | 22 |
| redhat | enterprise_linux_server_aus | 7.3 |
| redhat | enterprise_linux_server_aus | 7.7 |
| redhat | enterprise_linux_desktop | 7.0 |
| oracle | linux | 7 |
| redhat | enterprise_linux_eus | 7.2 |
| redhat | enterprise_linux_eus | 7.4 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| redhat | enterprise_linux_server_tus | 7.6 |
| redhat | enterprise_linux_server_tus | 7.3 |
| redhat | enterprise_linux_eus | 7.6 |
| redhat | enterprise_linux_eus | 7.3 |
| php | php | * |
| redhat | enterprise_linux_server_aus | 7.2 |
| redhat | enterprise_linux_server_tus | 7.7 |
| redhat | enterprise_linux_eus | 7.7 |
| redhat | enterprise_linux_server_aus | 7.6 |
| redhat | enterprise_linux_server_tus | 7.2 |
| pcre | pcre | * |
| redhat | enterprise_linux_server_aus | 7.4 |
pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| fedoraproject | fedora | 22 |
| pcre | perl_compatible_regular_expression_library | * |
PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| pcre | perl_compatible_regular_expression_library | * |
Use-after-free vulnerability in the Collator::sortWithSortKeys function in ext/intl/collator/collator_sort.c in PHP 7.x before 7.0.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging the relationships between a key buffer and a destroyed array.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.0 |
Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-134,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.1 |
The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not properly retrieve keys, which allows remote attackers to cause a denial of service (NULL pointer dereference, type confusion, and application crash) or possibly execute arbitrary code via crafted serialized data representing a numerically indexed _cookies array, related to the SoapClient::__call method in ext/soap/soap.c.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.6.10 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.5.27 |
| php | php | 5.5.26 |
ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.6.10 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.5.26 |
The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 2.8 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-611,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| suse | linux_enterprise_module_for_web_scripting | 12 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| opensuse | opensuse | 13.2 |
| canonical | ubuntu_linux | 15.10 |
| opensuse | leap | 42.1 |
| suse | linux_enterprise_software_development_kit | 12 |
The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseudo_bytes function, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 15.10 |
Stack consumption vulnerability in Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to cause a denial of service (segmentation fault) via recursive method calls.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| opensuse | leap | 42.1 |
Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| opensuse | leap | 42.1 |
Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not validate certain Exception objects, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger unintended method execution via crafted serialized data.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
The gdImageScaleTwoPass function in gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.2.0, as used in PHP before 5.6.12, uses inconsistent allocate and free approaches, which allows remote attackers to cause a denial of service (memory consumption) via a crafted call, as demonstrated by a call to the PHP imagescale function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| libgd | libgd | * |
main/php_open_temporary_file.c in PHP before 5.5.28 and 5.6.x before 5.6.12 does not ensure thread safety, which allows remote attackers to cause a denial of service (race condition and heap memory corruption) by leveraging an application that performs many temporary-file accesses.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
Double free vulnerability in the format printer in PHP 7.x before 7.0.1 allows remote attackers to have an unspecified impact by triggering an error.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-415,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.0 |
The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.5.8 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issue is resolved in a non-default configuration with the opcache.validate_permission=1 setting. The vulnerability details are as follows. In PHP SAPIs where PHP interpreters share a common parent process, Zend OpCache creates a shared memory object owned by the common parent during initialization. Child PHP processes inherit the SHM descriptor, using it to cache and retrieve compiled script bytecode ("opcode" in PHP jargon). Cache keys vary depending on configuration, but filename is a central key component, and compiled opcode can generally be run if a script's filename is known or can be guessed. Many common shared-hosting configurations change EUID in child processes to enforce privilege separation among hosted users (for example using mod_ruid2 for the Apache HTTP Server, or php-fpm user settings). In these scenarios, the default Zend OpCache behavior defeats script file permissions by sharing a single SHM cache among all child PHP processes. PHP scripts often contain sensitive information: Think of CMS configurations where reading or running another user's script usually means gaining privileges to the CMS database.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.6 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
An issue was discovered in PHP 7.3.x before 7.3.0alpha3, 7.2.x before 7.2.8, and before 7.1.20. The php-fpm master process restarts a child process in an endless loop when using program execution functions (e.g., passthru, exec, shell_exec, or system) with a non-blocking STDIN stream, causing this master process to consume 100% of the CPU, and consume disk space with a large volume of error logs, as demonstrated by an attack by a customer of a shared-hosting facility.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 7.3.0 |
The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable negative integer by -1.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.14 |
| php | php | 7.0.9 |
| php | php | 7.0.13 |
| php | php | 7.0.11 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.0.1 |
| php | php | 7.1.0 |
| php | php | 7.0.12 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 7.1.0 |
| debian | debian_linux | 8.0 |
Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-193,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | clustered_data_ontap | - |
| debian | debian_linux | 8.0 |
The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.14 |
| php | php | 7.0.9 |
| php | php | 7.0.13 |
| php | php | 7.0.11 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.0.1 |
| php | php | 7.1.0 |
| php | php | 7.0.12 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.14 |
| php | php | 7.0.9 |
| php | php | 7.0.13 |
| php | php | 7.0.11 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | 7.0.1 |
| php | php | 7.1.0 |
| php | php | 7.0.12 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:80?@good.example.com/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.9 |
| php | php | 7.0.11 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.0.1 |
| php | php | 7.0.12 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads). For example, a "$uri = stream_get_meta_data(fopen($file, "r"))['uri']" call mishandles the case where $file is data:text/plain;uri=eviluri, -- in other words, metadata can be set by an attacker.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 17.10 |
The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| fedoraproject | fedora | 22 |
| pcre | pcre | 8.38 |
| fedoraproject | fedora | 23 |
| oracle | solaris | 11.3 |
The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a large bgd_color argument to the imagerotate function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | * |
| php | php | 5.6.6 |
| php | php | 5.6.9 |
| php | php | 7.0.1 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.16 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 7.0.0 |
Multiple integer overflows in ext/standard/exec.c in PHP 7.x before 7.0.2 allow remote attackers to cause a denial of service or possibly have unspecified other impact via a long string to the (1) php_escape_shell_cmd or (2) php_escape_shell_arg function, leading to a heap-based buffer overflow.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.1 |
| php | php | 7.0.0 |
Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | * |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 5.6.9 |
| php | php | 7.0.1 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.16 |
| php | php | 5.6.14 |
| php | php | 7.0.2 |
| php | php | 5.6.7 |
| php | php | 7.0.0 |
Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-681,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| opensuse | opensuse | 13.2 |
| canonical | ubuntu_linux | 15.10 |
| fedoraproject | fedora | 23 |
| fedoraproject | fedora | 24 |
| libgd | libgd | 2.1.1 |
Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted call to (1) getFromIndex or (2) getFromName in the ZipArchive class.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
Double free vulnerability in the SplDoublyLinkedList::offsetSet function in ext/spl/spl_dllist.c in PHP 7.x before 7.0.6 allows remote attackers to execute arbitrary code via a crafted index.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-415,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.1 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.2 |
| php | php | 7.0.3 |
| php | php | 7.0.0 |
Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.18 |
| php | php | 5.6.11 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | * |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.16 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
The phar_parse_zipfile function in zip.c in the PHAR extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.18 |
| php | php | 5.6.11 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | * |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.16 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (type confusion and application crash) via crafted serialized _cookies data, related to the SoapClient::__call method in ext/soap/soap.c.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.6.4 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.5.22 |
| php | php | 5.5.8 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.6.10 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.25 |
| php | php | 5.6.7 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.5.4 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.5.2 |
| php | php | 5.5.12 |
| php | php | 5.5.14 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.6 |
| php | php | 5.5.24 |
| php | php | 7.0.1 |
| php | php | 5.5.6 |
| php | php | 5.5.10 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.5.27 |
| php | php | 5.5.26 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says "Not sure if this qualifies as security issue (probably not).
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-189,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.6.10 |
| php | php | 5.5.25 |
| php | php | 5.6.14 |
| php | php | 5.5.29 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.5.30 |
| php | php | 5.5.4 |
| php | php | 5.5.2 |
| php | php | 5.5.14 |
| php | php | 5.6.12 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 5.5.24 |
| php | php | 7.0.1 |
| php | php | 5.5.6 |
| php | php | 5.6.16 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.5.33 |
| php | php | 5.5.27 |
| php | php | 7.0.0 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.5.22 |
| php | php | 7.0.4 |
| php | php | 5.5.8 |
| php | php | 7.0.3 |
| php | php | 5.5.32 |
| php | php | 5.5.1 |
| php | php | 5.6.15 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.31 |
| php | php | 5.6.7 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.6.18 |
| php | php | 5.5.12 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.5.10 |
| php | php | 5.5.26 |
| php | php | 7.0.2 |
The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the phar_analyze_path function in ext/phar/phar.c.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.3 |
| php | php | 5.5.16 |
| php | php | 5.6.10 |
| php | php | 5.5.25 |
| php | php | 5.6.14 |
| php | php | 5.5.29 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.5.30 |
| php | php | 5.5.4 |
| php | php | 5.5.2 |
| php | php | 5.5.14 |
| php | php | 5.6.12 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 5.5.24 |
| php | php | 7.0.1 |
| php | php | 5.5.6 |
| php | php | 5.6.16 |
| php | php | 5.5.5 |
| php | php | 5.5.17 |
| php | php | 5.5.33 |
| php | php | 5.5.27 |
| php | php | 7.0.0 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.5.22 |
| php | php | 7.0.4 |
| php | php | 5.5.8 |
| php | php | 7.0.3 |
| php | php | 5.5.32 |
| php | php | 5.5.1 |
| php | php | 5.6.15 |
| php | php | 5.5.15 |
| php | php | 5.5.7 |
| php | php | 5.5.31 |
| php | php | 5.6.7 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.6.18 |
| php | php | 5.5.12 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.5.10 |
| php | php | 5.5.26 |
| php | php | 7.0.2 |
Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.5.23 |
| php | php | 5.5.19 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.6.9 |
| php | php | 5.5.3 |
| php | php | 5.6.10 |
| php | php | 5.5.25 |
| php | php | 5.6.14 |
| php | php | 5.5.29 |
| php | php | 5.5.11 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.5.30 |
| php | php | 5.5.4 |
| php | php | 5.5.2 |
| php | php | 5.5.14 |
| php | php | 5.6.12 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 5.5.24 |
| php | php | 7.0.1 |
| php | php | 5.5.6 |
| php | php | 5.6.16 |
| php | php | 5.5.5 |
| php | php | 5.5.33 |
| php | php | 5.5.27 |
| php | php | 7.0.0 |
| apple | mac_os_x | * |
| php | php | 5.6.4 |
| php | php | 5.5.18 |
| php | php | 5.5.0 |
| php | php | 5.5.22 |
| php | php | 7.0.4 |
| php | php | 5.5.8 |
| php | php | 7.0.3 |
| php | php | 5.5.32 |
| php | php | 5.5.1 |
| php | php | 5.6.15 |
| php | php | 5.5.7 |
| php | php | 5.6.7 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.6.18 |
| php | php | 5.5.12 |
| php | php | 5.6.8 |
| php | php | 5.6.5 |
| php | php | 5.5.10 |
| php | php | 5.5.26 |
| php | php | 7.0.2 |
ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 mishandles zero-length uncompressed data, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) TAR, (2) ZIP, or (3) PHAR archive.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| opensuse | leap | 42.1 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | * |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 5.6.9 |
| php | php | 7.0.1 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.16 |
| php | php | 5.6.14 |
| php | php | 7.0.2 |
| php | php | 5.6.7 |
| php | php | 7.0.0 |
The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-824,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| opensuse | opensuse | 13.2 |
Integer overflow in the xml_utf8_encode function in ext/xml/xml.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long argument to the utf8_encode function, leading to a heap-based buffer overflow.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
Integer overflow in the php_filter_encode_url function in ext/filter/sanitizing_filters.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long string, leading to a heap-based buffer overflow.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
Integer overflow in the str_pad function in ext/standard/string.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long string, leading to a heap-based buffer overflow.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| opensuse | opensuse | 13.2 |
| opensuse | leap | 42.1 |
/ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.7 |
| php | php | 5.6.9 |
| suse | linux_enterprise_module_for_web_scripting | 12 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.14 |
| php | php | 5.6.22 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| suse | linux_enterprise_software_development_kit | 12 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 5.6.16 |
| php | php | 5.6.21 |
The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| opensuse | leap | 42.1 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| fedoraproject | fedora | 24 |
| php | php | 7.0.0 |
The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 modifies certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variable, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| opensuse | leap | 42.1 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| fedoraproject | fedora | 24 |
| php | php | 7.0.0 |
The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| opensuse | leap | 42.1 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| fedoraproject | fedora | 24 |
| php | php | 7.0.0 |
The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| opensuse | leap | 42.1 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| fedoraproject | fedora | 24 |
| php | php | 7.0.0 |
The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| opensuse | leap | 42.1 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| fedoraproject | fedora | 24 |
| php | php | 7.0.0 |
The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not properly construct spprintf arguments, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| opensuse | leap | 42.1 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| fedoraproject | fedora | 24 |
| php | php | 7.0.0 |
The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| opensuse | leap | 42.1 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| hp | system_management_homepage | * |
| php | php | 7.0.2 |
| fedoraproject | fedora | 24 |
| php | php | 7.0.0 |
The exif_process_TIFF_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate TIFF start data, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 8.0 |
| opensuse | opensuse | 13.2 |
| opensuse | leap | 42.1 |
| fedoraproject | fedora | 24 |
The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a '\0' character, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted locale_get_primary_language call.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 7.0.6 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
| php | php | 5.6.21 |
Integer overflow in the php_html_entities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from the htmlspecialchars function.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.18 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | * |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.16 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 5.6.21 |
Integer overflow in the php_escape_html_entities_ex function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from a FILTER_SANITIZE_FULL_SPECIAL_CHARS filter_var call. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-5094.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.18 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | * |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.16 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 5.6.21 |
Integer overflow in the fread function in ext/standard/file.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer in the second argument.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.18 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | * |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.16 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 5.6.21 |
sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as demonstrated by a long URI in a configuration with custom REQUEST_URI logging.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | * |
| php | php | 5.6.6 |
| php | php | 5.6.9 |
| php | php | 7.0.1 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.16 |
| php | php | 5.6.14 |
| php | php | 5.6.7 |
| php | php | 7.0.0 |
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-601,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | enterprise_manager_ops_center | 12.3.2 |
| oracle | enterprise_manager_ops_center | 12.2.2 |
| debian | debian_linux | 8.0 |
| drupal | drupal | * |
| oracle | linux | 6 |
| oracle | linux | 7 |
| redhat | enterprise_linux_workstation | 6.0 |
| opensuse | leap | 42.1 |
| hp | storeever_msl6480_tape_library_firmware | * |
| php | php | * |
| redhat | enterprise_linux_desktop | 6.0 |
| oracle | communications_user_data_repository | 12.0.0 |
| oracle | communications_user_data_repository | 10.0.0 |
| hp | system_management_homepage | * |
| redhat | enterprise_linux_server | 6.0 |
| fedoraproject | fedora | 23 |
| oracle | communications_user_data_repository | 10.0.1 |
| fedoraproject | fedora | 24 |
The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by leveraging a callback exception.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-415,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 7.0.6 |
| php | php | 5.6.14 |
| php | php | 5.6.22 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
| php | php | 5.6.21 |
Multiple integer overflows in mcrypt.c in the mcrypt extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted length value, related to the (1) mcrypt_generic and (2) mdecrypt_generic functions.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 7.0.6 |
| php | php | 5.6.14 |
| php | php | 5.6.22 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
| php | php | 5.6.21 |
Integer overflow in the SplFileObject::fread function in spl_directory.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer argument, a related issue to CVE-2016-5096.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 8.0 |
| opensuse | opensuse | 13.2 |
| opensuse | leap | 42.1 |
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 8.0 |
| opensuse | opensuse | 13.2 |
| opensuse | leap | 42.1 |
Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted XML data that is mishandled in a wddx_deserialize call.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-415,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| suse | linux_enterprise_server | 11 |
| debian | debian_linux | 8.0 |
| suse | linux_enterprise_software_development_kit | 11 |
| opensuse | opensuse | 13.2 |
| suse | linux_enterprise_debuginfo | 11 |
| opensuse | leap | 42.1 |
php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.23 |
| php | php | 7.0.6 |
| php | php | 5.6.14 |
| php | php | 5.6.22 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
| php | php | 5.6.21 |
Buffer overflow in the HTTP URL parsing functions in pecl_http before 3.0.1 might allow remote attackers to execute arbitrary code via non-printable characters in a URL.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | pecl_http | * |
applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the content_class parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 5.5.4 |
| php | php | 5.5.6 |
| php | php | 5.5.0 |
| php | php | 5.5.1 |
| php | php | 5.5.3 |
| php | php | 5.5.5 |
| php | php | 5.5.7 |
| php | php | 5.5.2 |
| invisioncommunity | invision_power_board | * |
Integer overflow in the _gdContributionsAlloc function in gd_interpolation.c in GD Graphics Library (aka libgd) before 2.2.3 allows remote attackers to cause a denial of service (out-of-bounds memory write or memory consumption) via unspecified vectors.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,CWE-190,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| libgd | libgd | * |
| debian | debian_linux | 8.0 |
| opensuse | leap | 42.1 |
The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.23 |
| php | php | 7.0.8 |
| php | php | 5.6.14 |
| php | php | 5.6.22 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
| php | php | 5.6.21 |
ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors related to session deserialization.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.23 |
| php | php | 7.0.8 |
| php | php | 5.6.14 |
| php | php | 5.6.22 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
| php | php | 5.6.21 |
The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.23 |
| php | php | 7.0.8 |
| php | php | 5.6.14 |
| php | php | 5.6.22 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
| php | php | 5.6.21 |
The exif_process_user_comment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.23 |
| php | php | 7.0.8 |
| php | php | 5.6.14 |
| php | php | 5.6.22 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
| php | php | 5.6.21 |
The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.23 |
| php | php | 7.0.8 |
| php | php | 5.6.14 |
| php | php | 5.6.22 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
| php | php | 5.6.21 |
ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact via crafted serialized data, a related issue to CVE-2016-5773.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.23 |
| php | php | 7.0.8 |
| php | php | 5.6.14 |
| php | php | 5.6.22 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
| php | php | 5.6.21 |
Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.23 |
| php | php | 7.0.8 |
| php | php | 5.6.14 |
| php | php | 5.6.22 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
| php | php | 5.6.21 |
Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.6.4 |
| php | php | 5.6.0 |
| php | php | 5.6.3 |
| php | php | 5.6.11 |
| php | php | 5.6.20 |
| php | php | 7.0.4 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 5.6.9 |
| php | php | 5.6.10 |
| php | php | 5.6.15 |
| php | php | 5.6.23 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 5.6.14 |
| php | php | 5.6.22 |
| php | php | 5.6.7 |
| php | php | 5.6.1 |
| php | php | 5.6.13 |
| php | php | 5.6.18 |
| php | php | 7.0.5 |
| php | php | 5.6.8 |
| php | php | 5.6.12 |
| php | php | 5.6.5 |
| php | php | 5.6.2 |
| php | php | 5.6.19 |
| php | php | 5.6.6 |
| php | php | 5.6.17 |
| php | php | 7.0.1 |
| php | php | 5.6.16 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
| php | php | 5.6.21 |
ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 7.0.9 |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.2 |
| php | php | 7.0.3 |
| php | php | 7.0.0 |
ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by object injection.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-74,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 7.0.9 |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.2 |
| php | php | 7.0.3 |
| php | php | 7.0.0 |
The imagetruecolortopalette function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate the number of colors, which allows remote attackers to cause a denial of service (select_colors allocation error and out-of-bounds write) or possibly have unspecified other impact via a large value in the third argument.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 7.0.9 |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.2 |
| php | php | 7.0.3 |
| php | php | 7.0.0 |
The imagegammacorrect function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate gamma values, which allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by providing different signs for the second and third arguments.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 7.0.9 |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.2 |
| php | php | 7.0.3 |
| php | php | 7.0.0 |
The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset that exceeds the file size, which allows remote attackers to obtain sensitive information from process memory via a crafted TIFF image.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 7.0.9 |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.2 |
| php | php | 7.0.3 |
| php | php | 7.0.0 |
The php_wddx_process_data function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via an invalid ISO 8601 time value, as demonstrated by a wddx_deserialize call that mishandles a dateTime element in a wddxPacket XML document.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 7.0.9 |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.2 |
| php | php | 7.0.3 |
| php | php | 7.0.0 |
The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid base64 binary value, as demonstrated by a wddx_deserialize call that mishandles a binary element in a wddxPacket XML document.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 7.0.9 |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.2 |
| php | php | 7.0.3 |
| php | php | 7.0.0 |
ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via a malformed wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a tag that lacks a < (less than) character.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 7.0.9 |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.2 |
| php | php | 7.0.3 |
| php | php | 7.0.0 |
ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a stray element inside a boolean element, leading to incorrect pop processing.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 7.0.9 |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.2 |
| php | php | 7.0.3 |
| php | php | 7.0.0 |
Zend/zend_alloc.c in PHP 7.x before 7.0.10, when open_basedir is enabled, mishandles huge realloc operations, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a long pathname.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.9 |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.2 |
| php | php | 7.0.3 |
| php | php | 7.0.0 |
ext/curl/interface.c in PHP 7.x before 7.0.10 does not work around a libcurl integer overflow, which allows remote attackers to cause a denial of service (allocation error and heap-based buffer overflow) or possibly have unspecified other impact via a long string that is mishandled in a curl_escape call.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.9 |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.2 |
| php | php | 7.0.3 |
| php | php | 7.0.0 |
A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-704,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | ext-http | 2.6.0 |
| php | ext-http | 3.1.0 |
| php | ext-http | * |
ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.9 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.9 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.9 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a MessageFormatter::formatMessage call with a long first argument.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.9 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.9 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.9 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 5.4.38 |
| php | php | 5.4.43 |
| php | php | 5.5.19 |
| php | php | 5.2.14 |
| php | php | 5.6.11 |
| php | php | 7.0.11 |
| php | php | 5.3.12 |
| php | php | 5.4.26 |
| php | php | 5.3.28 |
| php | php | 5.4.5 |
| php | php | 5.3.2 |
| php | php | 5.1.0 |
| php | php | 5.4.0 |
| php | php | 5.2.13 |
| php | php | 5.6.10 |
| php | php | 7.0.6 |
| php | php | 5.2.16 |
| php | php | 5.3.23 |
| php | php | 5.6.14 |
| php | php | 5.4.45 |
| php | php | 5.5.36 |
| php | php | 5.5.11 |
| php | php | 5.6.13 |
| php | php | 7.0.10 |
| php | php | 5.5.30 |
| php | php | 5.0.3 |
| php | php | 5.3.21 |
| php | php | 5.2.10 |
| php | php | 5.5.14 |
| php | php | 7.0.5 |
| php | php | 5.6.12 |
| php | php | 5.0.1 |
| php | php | 5.6.19 |
| php | php | 5.3.17 |
| php | php | 5.6.17 |
| php | php | 5.3.20 |
| php | php | 7.0.1 |
| php | php | 5.2.15 |
| php | php | 5.4.39 |
| php | php | 5.4.2 |
| php | php | 5.2.6 |
| php | php | 7.0.0 |
| php | php | 5.5.35 |
| php | php | 5.0.0 |
| php | php | 5.5.0 |
| php | php | 5.3.15 |
| php | php | 5.3.0 |
| php | php | 5.4.37 |
| php | php | 5.2.2 |
| php | php | 5.4.34 |
| php | php | 5.6.20 |
| php | php | 5.3.7 |
| php | php | 7.0.4 |
| php | php | 7.0.7 |
| php | php | 5.3.11 |
| php | php | 5.4.25 |
| php | php | 5.2.8 |
| php | php | 5.2.12 |
| php | php | 5.4.6 |
| php | php | 5.1.5 |
| php | php | 5.2.11 |
| php | php | 5.6.27 |
| php | php | 5.3.8 |
| php | php | 5.5.1 |
| php | php | 5.0.2 |
| php | php | 5.6.23 |
| php | php | 5.4.28 |
| php | php | 5.6.26 |
| php | php | 5.3.9 |
| php | php | 5.2.7 |
| php | php | 5.5.31 |
| php | php | 5.2.5 |
| php | php | 5.5.28 |
| php | php | 5.4.8 |
| php | php | 5.4.17 |
| php | php | 5.5.9 |
| php | php | 5.5.21 |
| php | php | 5.6.18 |
| php | php | 5.3.10 |
| php | php | 5.5.12 |
| php | php | 5.3.5 |
| php | php | 5.4.14 |
| php | php | 5.4.22 |
| php | php | 5.6.25 |
| php | php | 5.4.9 |
| php | php | 5.1.3 |
| php | php | 5.3.24 |
| php | php | 5.3.19 |
| php | php | 5.4.20 |
| php | php | 5.4.21 |
| php | php | 5.4.30 |
| php | php | 5.0.5 |
| php | php | 5.2.0 |
| php | php | 5.5.37 |
| php | php | 5.4.1 |
| php | php | 5.3.1 |
| php | php | 7.0.2 |
| php | php | 5.4.4 |
| php | php | 5.4.7 |
| php | php | 5.3.26 |
| php | php | 5.5.23 |
| php | php | 7.0.9 |
| php | php | 5.6.0 |
| php | php | 5.4.13 |
| php | php | 5.3.25 |
| php | php | 5.4.16 |
| php | php | 5.3.16 |
| php | php | 5.5.13 |
| php | php | 5.5.20 |
| php | php | 5.2.3 |
| php | php | 5.4.19 |
| php | php | 5.5.3 |
| php | php | 5.6.24 |
| php | php | 5.1.4 |
| php | php | 5.1.2 |
| php | php | 5.5.25 |
| php | php | 5.5.29 |
| php | php | 5.6.1 |
| php | php | 5.4.3 |
| php | php | 5.4.44 |
| php | php | 5.4.41 |
| php | php | 5.5.4 |
| php | php | 5.4.18 |
| php | php | 5.5.2 |
| php | php | 5.6.2 |
| php | php | 5.2.4 |
| php | php | 5.4.12 |
| php | php | 5.5.24 |
| php | php | 5.2.9 |
| php | php | 5.5.6 |
| php | php | 5.6.16 |
| php | php | 7.0.12 |
| php | php | 5.1.1 |
| php | php | 5.5.5 |
| php | php | 5.5.33 |
| php | php | 5.5.27 |
| php | php | 5.3.6 |
| php | php | 5.5.18 |
| php | php | 5.3.4 |
| php | php | 5.5.22 |
| php | php | 5.4.15 |
| php | php | 5.5.8 |
| php | php | 5.3.13 |
| php | php | 5.5.34 |
| php | php | 7.0.3 |
| php | php | 5.5.32 |
| php | php | 5.4.11 |
| php | php | 5.4.23 |
| php | php | 5.6.15 |
| php | php | 5.5.7 |
| php | php | 7.0.8 |
| php | php | 5.6.22 |
| php | php | 5.1.6 |
| php | php | 5.2.1 |
| php | php | 5.3.18 |
| php | php | 5.3.27 |
| php | php | 5.4.27 |
| php | php | 5.3.22 |
| php | php | 5.3.3 |
| php | php | 5.4.10 |
| php | php | 5.4.29 |
| php | php | 5.4.35 |
| php | php | 5.0.4 |
| php | php | 5.3.14 |
| php | php | 5.5.10 |
| php | php | 5.4.24 |
| php | php | 5.2.17 |
| php | php | 5.4.42 |
| php | php | 5.5.26 |
| php | php | 5.6.21 |
In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.14 |
| php | php | 7.0.9 |
| php | php | 7.0.11 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | 7.0.1 |
| php | php | 7.1.0 |
| php | php | 7.0.12 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | clustered_data_ontap | - |
Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP through 7.0.11, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted imagewebp and imagedestroy calls.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| libgd | libgd | * |
| debian | debian_linux | 8.0 |
Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.9 |
| php | php | 7.0.11 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.0.1 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.9 |
| php | php | 7.0.11 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.0.1 |
| php | php | 7.0.12 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.9 |
| php | php | 7.0.11 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.0.1 |
| php | php | 7.0.12 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.9 |
| php | php | 7.0.13 |
| php | php | 7.0.11 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.0.1 |
| php | php | 7.0.12 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.9 |
| php | php | 7.0.13 |
| php | php | 7.0.11 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | 7.0.1 |
| php | php | 7.0.12 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.0.0 |
In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.10 |
| php | php | 7.0.14 |
| php | php | 7.0.15 |
| php | php | 7.0.9 |
| php | php | 7.0.13 |
| php | php | 7.0.11 |
| php | php | 7.1.2 |
| php | php | 7.0.4 |
| php | php | 7.0.5 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.0.1 |
| php | php | 7.1.0 |
| php | php | 7.0.12 |
| php | php | 7.0.16 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.0.2 |
| php | php | 7.1.1 |
| php | php | 7.0.0 |
In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-416,CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-754,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.14 |
| php | php | 7.0.15 |
| php | php | 7.0.9 |
| php | php | 7.0.11 |
| php | php | 7.0.18 |
| php | php | 7.1.2 |
| php | php | 7.0.4 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.1.0 |
| php | php | 7.0.17 |
| php | php | 7.0.16 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.1.5 |
| php | php | 7.0.10 |
| php | php | 7.0.13 |
| php | php | 7.1.6 |
| php | php | 7.0.5 |
| php | php | 7.0.19 |
| php | php | 7.0.1 |
| php | php | 7.1.3 |
| php | php | 7.0.12 |
| php | php | 7.1.4 |
| php | php | 7.0.20 |
| php | php | 7.0.2 |
| php | php | 7.1.1 |
| php | php | 7.0.0 |
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: the correct fix is in the e8b7698f5ee757ce2c8bd10a192a491a498f891c commit, not the bd77ac90d3bdf31ce2a5251ad92e9e75 gist.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.14 |
| php | php | 7.0.15 |
| php | php | 7.0.9 |
| php | php | 7.0.11 |
| php | php | 7.0.18 |
| php | php | 7.1.2 |
| php | php | 7.0.4 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.1.0 |
| php | php | 7.0.17 |
| php | php | 7.0.16 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.1.5 |
| php | php | 7.0.10 |
| php | php | 7.0.13 |
| php | php | 7.1.6 |
| php | php | 7.0.5 |
| php | php | 7.0.19 |
| php | php | 7.0.1 |
| php | php | 7.1.3 |
| php | php | 7.0.12 |
| php | php | 7.1.4 |
| php | php | 7.0.20 |
| php | php | 7.0.2 |
| php | php | 7.1.1 |
| php | php | 7.0.0 |
In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | clustered_data_ontap | - |
In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/msgformat_parse.c does not restrict the locale length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact within International Components for Unicode (ICU) for C/C++ via a long first argument to the msgfmt_parse_message function.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.14 |
| php | php | 7.0.15 |
| php | php | 7.0.9 |
| php | php | 7.0.11 |
| php | php | 7.0.18 |
| php | php | 7.1.2 |
| php | php | 7.0.4 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | 7.1.0 |
| php | php | 7.0.17 |
| php | php | 7.0.16 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.1.5 |
| php | php | 7.0.10 |
| php | php | 7.0.13 |
| php | php | 7.1.6 |
| php | php | 7.0.5 |
| php | php | 7.0.19 |
| php | php | 7.0.1 |
| php | php | 7.1.3 |
| php | php | 7.0.12 |
| php | php | 7.1.4 |
| php | php | 7.0.20 |
| php | php | 7.0.2 |
| php | php | 7.1.1 |
| php | php | 7.0.0 |
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of service or potentially allow executing code. NOTE: this is only relevant for PHP applications that accept untrusted input (instead of the system's php.ini file) for the parse_ini_string or parse_ini_file function, e.g., a web application for syntax validation of php.ini directives.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.14 |
| php | php | 7.0.15 |
| php | php | 7.0.9 |
| php | php | 7.0.11 |
| php | php | 7.0.18 |
| php | php | 7.1.2 |
| php | php | 7.0.4 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.1.0 |
| php | php | 7.0.17 |
| php | php | 7.0.16 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.1.5 |
| php | php | 7.0.10 |
| php | php | 7.0.13 |
| php | php | 7.1.6 |
| php | php | 7.0.5 |
| php | php | 7.0.19 |
| php | php | 7.0.1 |
| php | php | 7.1.3 |
| php | php | 7.0.12 |
| php | php | 7.1.4 |
| php | php | 7.0.20 |
| php | php | 7.0.2 |
| php | php | 7.1.1 |
| php | php | 7.0.0 |
ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x through 7.1.8 is prone to a heap use after free while unserializing untrusted data, related to improper use of the hash API for key deletion in a situation with an invalid array size. Exploitation of this issue can have an unspecified impact on the integrity of PHP.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.14 |
| php | php | 7.0.22 |
| php | php | 7.0.15 |
| php | php | 7.0.9 |
| php | php | 7.0.11 |
| php | php | 7.0.18 |
| php | php | 7.1.2 |
| php | php | 7.0.4 |
| php | php | 7.0.7 |
| php | php | 7.0.21 |
| php | php | 7.0.3 |
| php | php | 7.1.8 |
| php | php | 7.1.0 |
| php | php | 7.0.17 |
| php | php | 7.0.16 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.1.5 |
| php | php | 7.0.10 |
| php | php | 7.0.13 |
| php | php | 7.1.6 |
| php | php | 7.0.5 |
| php | php | 7.1.7 |
| php | php | 7.0.19 |
| php | php | 7.0.1 |
| php | php | 7.1.3 |
| php | php | 7.0.12 |
| php | php | 7.1.4 |
| php | php | 7.0.20 |
| php | php | 7.0.2 |
| php | php | 7.1.1 |
| php | php | 7.0.0 |
The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.14 |
| php | php | 7.0.15 |
| php | php | 7.0.9 |
| php | php | 7.0.11 |
| php | php | 7.0.18 |
| php | php | 7.1.2 |
| php | php | 7.0.4 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.1.0 |
| php | php | 7.0.17 |
| php | php | 7.0.16 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.1.5 |
| php | php | 7.0.10 |
| php | php | 7.0.13 |
| php | php | 7.1.6 |
| php | php | 7.0.5 |
| php | php | 7.0.19 |
| php | php | 7.0.1 |
| php | php | 7.1.3 |
| php | php | 7.0.12 |
| php | php | 7.1.4 |
| php | php | 7.0.20 |
| php | php | 7.0.2 |
| php | php | 7.1.1 |
| php | php | 7.0.0 |
ext/standard/var_unserializer.re in PHP 7.0.x before 7.0.21 and 7.1.x before 7.1.7 is prone to a heap use after free while unserializing untrusted data, related to the zval_get_type function in Zend/zend_types.h. Exploitation of this issue can have an unspecified impact on the integrity of PHP.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.14 |
| php | php | 7.0.15 |
| php | php | 7.0.9 |
| php | php | 7.0.11 |
| php | php | 7.0.18 |
| php | php | 7.1.2 |
| php | php | 7.0.4 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | 7.1.0 |
| php | php | 7.0.17 |
| php | php | 7.0.16 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.1.5 |
| php | php | 7.0.10 |
| php | php | 7.0.13 |
| php | php | 7.1.6 |
| php | php | 7.0.5 |
| php | php | 7.0.19 |
| php | php | 7.0.1 |
| php | php | 7.1.3 |
| php | php | 7.0.12 |
| php | php | 7.1.4 |
| php | php | 7.0.20 |
| php | php | 7.0.2 |
| php | php | 7.1.1 |
| php | php | 7.0.0 |
In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | clustered_data_ontap | - |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| netapp | storage_automation_store | - |
| debian | debian_linux | 9.0 |
Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | clustered_data_ontap | - |
PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-74,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | pear | 1.10.1 |
The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of "declare(ticks=" in a PHP script. NOTE: the vendor disputes the classification of this as a vulnerability, stating "Please do not request CVEs for ordinary bugs. CVEs are relevant for security issues only.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.1.2 |
main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-918,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.0.14 |
| php | php | 7.0.15 |
| php | php | 7.0.9 |
| php | php | 7.0.11 |
| php | php | 7.0.18 |
| php | php | 7.1.2 |
| php | php | 7.0.4 |
| php | php | 7.0.7 |
| php | php | 7.0.3 |
| php | php | * |
| php | php | 7.1.0 |
| php | php | 7.0.17 |
| php | php | 7.0.16 |
| php | php | 7.0.8 |
| php | php | 7.0.6 |
| php | php | 7.1.5 |
| php | php | 7.0.10 |
| php | php | 7.0.13 |
| php | php | 7.1.6 |
| php | php | 7.0.5 |
| php | php | 7.0.19 |
| php | php | 7.0.1 |
| php | php | 7.1.3 |
| php | php | 7.0.12 |
| php | php | 7.1.4 |
| php | php | 7.0.20 |
| php | php | 7.0.2 |
| php | php | 7.1.1 |
| php | php | 7.0.0 |
The GNU Multiple Precision Arithmetic Library (GMP) interfaces for PHP through 7.1.4 allow attackers to cause a denial of service (memory consumption and application crash) via operations on long strings. NOTE: the vendor disputes this, stating "There is no security issue here, because GMP safely aborts in case of an OOM condition. The only attack vector here is denial of service. However, if you allow attacker-controlled, unbounded allocations you have a DoS vector regardless of GMP's OOM behavior.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory traversal.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| modx | modx_revolution | 2.5.6 |
| php | php | 5.3.3 |
PHP 7.1.5 has an Out of bounds access in php_pcre_replace_impl via a crafted preg_replace call.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | storage_automation_store | - |
| php | php | 7.1.5 |
The i_zval_ptr_dtor function in Zend/zend_variables.h in PHP 7.1.5 allows attackers to cause a denial of service (memory consumption and application crash) or possibly have unspecified other impact by triggering crafted operations on array data structures.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netapp | clustered_data_ontap | - |
| netapp | storage_automation_store | - |
| php | php | 7.1.5 |
PHP 7.x through 7.1.5 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a long string because of an Integer overflow in mysqli_real_escape_string.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | storage_automation_store | - |
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| oniguruma_project | oniguruma | 6.2.0 |
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str() occurs during regular expression compilation. Code point 0xFFFFFFFF is not properly handled in unicode_unfold_key(). A malformed regular expression could result in 4 bytes being written off the end of a stack buffer of expand_case_fold_string() during the call to onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer overflow.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| ruby-lang | ruby | * |
| oniguruma_project | oniguruma | 6.2.0 |
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of '\700' would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| oniguruma_project | oniguruma | 6.2.0 |
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| oniguruma_project | oniguruma | 6.2.0 |
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| oniguruma_project | oniguruma | 6.2.0 |
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| ruby-lang | ruby | * |
| oniguruma_project | oniguruma | 6.2.0 |
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 18.10 |
| php | pear_archive_tar | * |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| netapp | storage_automation_store | - |
| canonical | ubuntu_linux | 17.10 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| netapp | storage_automation_store | - |
| canonical | ubuntu_linux | 17.10 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| netapp | storage_automation_store | - |
| canonical | ubuntu_linux | 17.10 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| netapp | storage_automation_store | - |
| canonical | ubuntu_linux | 17.10 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final '\0' character.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| netapp | storage_automation_store | - |
| canonical | ubuntu_linux | 17.10 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
exif_read_from_impl in ext/exif/exif.c in PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file) because it closes a stream that it is not responsible for closing. The vulnerable code is reachable through the PHP exif_read_data function.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | storage_automation_store | - |
| canonical | ubuntu_linux | 18.04 |
exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| netapp | storage_automation_store | - |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| netapp | storage_automation_store | - |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
An issue was discovered in PHP 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. Inappropriately parsing an HTTP response leads to a segmentation fault because http_header_value in ext/standard/http_fopen_wrapper.c can be a NULL value that is mishandled in an atoi call.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | storage_automation_store | - |
An issue was discovered in ext/standard/link_win32.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. The linkinfo function on Windows doesn't implement the open_basedir check. This could be abused to find files on paths outside of the allowed directories.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | storage_automation_store | - |
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 8.0 |
| netapp | storage_automation_store | - |
| debian | debian_linux | 9.0 |
ext/standard/var.c in PHP 5.x through 7.1.24 on Windows allows attackers to cause a denial of service (NULL pointer dereference and application crash) because com and com_safearray_proxy return NULL in com_properties_get in ext/com_dotnet/com_handlers.c, as demonstrated by a serialize call on COM("WScript.Shell").
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
ext/standard/var_unserializer.c in PHP 5.x through 7.1.24 allows attackers to cause a denial of service (application crash) via an unserialize call for the com, dotnet, or variant class.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.6 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-88,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 19.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| uw-imap_project | uw-imap | 2007f |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
An issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controller/themecontroller.php uses a check_bad function in an attempt to block certain PHP functions such as eval, but does not prevent use of preg_replace 'e' calls, allowing users to execute arbitrary code by leveraging access to admin template management.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| sdcms | sdcms | 1.6 |
ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse a .phar file. This is related to phar_parse_pharfile in ext/phar/phar.c.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| opensuse | leap | 42.3 |
gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-681,CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| php | php | 7.2.0 |
| canonical | ubuntu_linux | 18.04 |
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| php | php | 7.2.0 |
| canonical | ubuntu_linux | 17.10 |
In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 7.0 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 17.10 |
| debian | debian_linux | 9.0 |
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| opensuse | leap | 15.0 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 18.10 |
| netapp | storage_automation_store | - |
| redhat | software_collections | 1.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 19.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| opensuse | leap | 42.3 |
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| opensuse | leap | 15.0 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 18.10 |
| netapp | storage_automation_store | - |
| redhat | software_collections | 1.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 19.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| opensuse | leap | 42.3 |
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and 7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-126,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| opensuse | leap | 15.0 |
| fedoraproject | fedora | 30 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 18.10 |
| fedoraproject | fedora | 28 |
| redhat | software_collections | 1.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 19.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| debian | debian_linux | 10.0 |
| opensuse | leap | 42.3 |
| fedoraproject | fedora | 29 |
In PHP imagick extension in versions between 3.3.0 and 3.4.4, writing to an array of values in ImagickKernel::fromMatrix() function did not check that the address will be within the allocated array. This could lead to out of bounds write to memory if the function is called with the data controlled by untrusted party.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | imagick | * |
When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-457,CWE-908,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux | 7.0 |
| fedoraproject | fedora | 30 |
| debian | debian_linux | 8.0 |
| redhat | software_collections | 1.0 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 32 |
| canonical | ubuntu_linux | 18.04 |
| libgd | libgd | 2.2.5 |
| suse | linux_enterprise_software_development_kit | 12 |
| php | php | * |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| redhat | enterprise_linux | 8.0 |
| suse | linux_enterprise_desktop | 12 |
| canonical | ubuntu_linux | 19.10 |
| suse | linux_enterprise_server | 12 |
| suse | linux_enterprise_debuginfo | 11 |
| suse | linux_enterprise_workstation_extension | 12 |
| fedoraproject | fedora | 29 |
Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| opensuse | leap | 15.1 |
| opensuse | leap | 15.0 |
| debian | debian_linux | 10.0 |
| redhat | software_collections | 1.0 |
| debian | debian_linux | 9.0 |
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| opensuse | leap | 15.1 |
| opensuse | leap | 15.0 |
| debian | debian_linux | 10.0 |
| redhat | software_collections | 1.0 |
| debian | debian_linux | 9.0 |
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H | 2.8 | 4.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apple | mac_os_x | * |
| canonical | ubuntu_linux | 12.04 |
| opensuse | leap | 15.0 |
| debian | debian_linux | 8.0 |
| redhat | software_collections | 1.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| canonical | ubuntu_linux | 19.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| debian | debian_linux | 10.0 |
| tenable | tenable.sc | * |
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H | 2.8 | 4.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| apple | mac_os_x | * |
| canonical | ubuntu_linux | 12.04 |
| opensuse | leap | 15.0 |
| debian | debian_linux | 8.0 |
| redhat | software_collections | 1.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| canonical | ubuntu_linux | 19.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| debian | debian_linux | 10.0 |
| tenable | tenable.sc | * |
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| security@php.net | 8.7 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N | 2.2 | 5.8 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_server_aus | 8.2 |
| redhat | enterprise_linux_for_ibm_z_systems_eus | 8.6_s390x |
| redhat | enterprise_linux_server_tus | 8.6 |
| redhat | enterprise_linux_for_power_little_endian | 7.0_ppc64le |
| redhat | enterprise_linux_eus | 8.4 |
| redhat | enterprise_linux_workstation | 7.0 |
| redhat | enterprise_linux_for_ibm_z_systems_eus | 8.2_s390x |
| fedoraproject | fedora | 31 |
| redhat | enterprise_linux_for_scientific_computing | 7.0 |
| redhat | enterprise_linux_server_tus | 8.2 |
| php | php | * |
| redhat | enterprise_linux_for_arm_64_eus | 8.8_aarch64 |
| redhat | enterprise_linux_for_ibm_z_systems | 7.0_s390x |
| debian | debian_linux | 10.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux_for_ibm_z_systems | 6.0_s390x |
| redhat | enterprise_linux_eus_compute_node | 7.7 |
| redhat | enterprise_linux_for_power_little_endian | 8.0_ppc64le |
| redhat | enterprise_linux_server_tus | 8.8 |
| redhat | enterprise_linux_workstation | 6.0 |
| redhat | enterprise_linux_for_arm_64 | 8.0_aarch64 |
| canonical | ubuntu_linux | 18.04 |
| redhat | enterprise_linux_desktop | 6.0 |
| redhat | enterprise_linux_for_ibm_z_systems_eus | 8.1_s390x |
| canonical | ubuntu_linux | 16.04 |
| redhat | enterprise_linux_for_ibm_z_systems_eus | 8.8_s390x |
| redhat | enterprise_linux_server | 6.0 |
| canonical | ubuntu_linux | 19.10 |
| redhat | enterprise_linux_for_power_big_endian_eus | 7.7_ppc64 |
| fedoraproject | fedora | 29 |
| redhat | enterprise_linux_eus | 8.1 |
| redhat | enterprise_linux_server_aus | 7.7 |
| redhat | enterprise_linux_for_power_big_endian | 7.0_ppc64 |
| redhat | enterprise_linux_for_ibm_z_systems_eus | 7.7_s390x |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_server_aus | 8.6 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_for_power_little_endian_eus | 8.2_ppc64le |
| canonical | ubuntu_linux | 19.04 |
| redhat | enterprise_linux_for_arm_64_eus | 8.2_aarch64 |
| redhat | enterprise_linux_for_ibm_z_systems | 8.0_s390x |
| redhat | enterprise_linux_for_arm_64_eus | 8.4_aarch64 |
| redhat | enterprise_linux_for_power_little_endian_eus | 8.1_ppc64le |
| tenable | tenable.sc | * |
| redhat | enterprise_linux_for_arm_64_eus | 8.6_aarch64 |
| redhat | enterprise_linux_eus | 8.8 |
| canonical | ubuntu_linux | 12.04 |
| fedoraproject | fedora | 30 |
| redhat | enterprise_linux_for_ibm_z_systems_eus | 8.4_s390x |
| redhat | software_collections | 1.0 |
| debian | debian_linux | 9.0 |
| redhat | enterprise_linux_for_arm_64_eus | 8.1_aarch64 |
| redhat | enterprise_linux_for_power_little_endian_eus | 8.8_ppc64le |
| redhat | enterprise_linux_eus | 8.2 |
| redhat | enterprise_linux_for_power_little_endian_eus | 8.4_ppc64le |
| redhat | enterprise_linux_for_power_big_endian | 6.0_ppc64 |
| redhat | enterprise_linux_server_tus | 7.7 |
| redhat | enterprise_linux_eus | 8.6 |
| redhat | enterprise_linux_for_power_little_endian_eus | 8.6_ppc64le |
| redhat | enterprise_linux_for_power_little_endian_eus | 7.7_ppc64le |
| canonical | ubuntu_linux | 14.04 |
| redhat | enterprise_linux_eus | 7.7 |
| redhat | enterprise_linux_server_aus | 8.4 |
| redhat | enterprise_linux_server_tus | 8.4 |
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-170,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| fedoraproject | fedora | 30 |
| php | php | 7.4.0 |
| fedoraproject | fedora | 31 |
| tenable | securitycenter | * |
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-170,CWE-74,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| fedoraproject | fedora | 30 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 31 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 19.04 |
| canonical | ubuntu_linux | 14.04 |
| php | php | 7.4.0 |
| canonical | ubuntu_linux | 16.04 |
| debian | debian_linux | 10.0 |
| canonical | ubuntu_linux | 19.10 |
| tenable | securitycenter | * |
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| fedoraproject | fedora | 30 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 31 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 19.04 |
| canonical | ubuntu_linux | 14.04 |
| php | php | 7.4.0 |
| canonical | ubuntu_linux | 16.04 |
| debian | debian_linux | 10.0 |
| canonical | ubuntu_linux | 19.10 |
| tenable | securitycenter | * |
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L | 3.9 | 2.5 |
| security@php.net | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L | 2.2 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| fedoraproject | fedora | 30 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 31 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| canonical | ubuntu_linux | 19.04 |
| canonical | ubuntu_linux | 14.04 |
| php | php | 7.4.0 |
| canonical | ubuntu_linux | 16.04 |
| debian | debian_linux | 10.0 |
| canonical | ubuntu_linux | 19.10 |
In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 3.9 | 1.4 |
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,CWE-400,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-415,CWE-415,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| fedoraproject | fedora | 30 |
| php | php | 7.4.0 |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 31 |
| tenable | securitycenter | * |
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| fedoraproject | fedora | 30 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 31 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 19.04 |
| canonical | ubuntu_linux | 14.04 |
| php | php | 7.4.0 |
| canonical | ubuntu_linux | 16.04 |
| debian | debian_linux | 10.0 |
| tenable | securitycenter | * |
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| fedoraproject | fedora | 30 |
| debian | debian_linux | 8.0 |
| oniguruma_project | oniguruma | 6.9.2 |
| fedoraproject | fedora | 29 |
Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| fedoraproject | fedora | 31 |
| oniguruma_project | oniguruma | * |
gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 14.04 |
| php | php | 7.3.0 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 18.10 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
| libgd | libgd | 2.2.5 |
| netapp | storage_automation_store | * |
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-125,CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| netapp | storage_automation_store | - |
| debian | debian_linux | 9.0 |
| opensuse | leap | 42.3 |
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file name, a different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| netapp | storage_automation_store | - |
| debian | debian_linux | 9.0 |
| opensuse | leap | 42.3 |
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parserr in ext/standard/dns.c for DNS_CAA and DNS_ANY queries.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| netapp | storage_automation_store | - |
| debian | debian_linux | 9.0 |
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| netapp | storage_automation_store | - |
| debian | debian_linux | 9.0 |
| opensuse | leap | 42.3 |
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| netapp | storage_automation_store | - |
| debian | debian_linux | 9.0 |
| opensuse | leap | 42.3 |
An issue was discovered in PHP 7.3.x before 7.3.1. An invalid multibyte string supplied as an argument to the mb_split() function in ext/mbstring/php_mbregex.c can cause PHP to execute memcpy() with a negative argument, which could read and write past buffers allocated for the data.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-125,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | storage_automation_store | - |
An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 18.10 |
| netapp | storage_automation_store | - |
| debian | debian_linux | 9.0 |
| opensuse | leap | 42.3 |
| canonical | ubuntu_linux | 18.04 |
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note->offset relationship to value_len.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| opensuse | leap | 15.0 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 18.10 |
| netapp | storage_automation_store | - |
| redhat | software_collections | 1.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| opensuse | leap | 42.3 |
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-908,CWE-909,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| opensuse | leap | 15.0 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 18.10 |
| netapp | storage_automation_store | - |
| redhat | software_collections | 1.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| opensuse | leap | 42.3 |
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| opensuse | leap | 15.0 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 18.10 |
| netapp | storage_automation_store | - |
| redhat | software_collections | 1.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| opensuse | leap | 42.3 |
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-908,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| opensuse | leap | 15.0 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 18.10 |
| netapp | storage_automation_store | - |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| opensuse | leap | 42.3 |
An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phar_tar_writeheaders_int in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor indicates that the link value is used only when an archive contains a symlink, which currently cannot happen: "This issue allows theoretical compromise of security, but a practical attack is usually impossible.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| opensuse | leap | 42.3 |
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | archive_tar | * |
| fedoraproject | fedora | 35 |
| drupal | drupal | * |
| fedoraproject | fedora | 33 |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 34 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 32 |
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | archive_tar | * |
| fedoraproject | fedora | 35 |
| drupal | drupal | * |
| fedoraproject | fedora | 33 |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 34 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 32 |
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,CWE-59,CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | archive_tar | * |
| fedoraproject | fedora | 35 |
| drupal | drupal | * |
| fedoraproject | fedora | 33 |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 34 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 32 |
When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
| security@php.net | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L | 3.9 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| opensuse | leap | 15.1 |
| debian | debian_linux | 8.0 |
| oracle | communications_diameter_signaling_router | * |
| tenable | tenable.sc | * |
When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
| security@php.net | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L | 3.9 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| opensuse | leap | 15.1 |
| debian | debian_linux | 8.0 |
| oracle | communications_diameter_signaling_router | * |
| tenable | tenable.sc | * |
In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L | 3.9 | 2.5 |
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| tenable | tenable.sc | * |
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| debian | debian_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| debian | debian_linux | 10.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 19.10 |
| canonical | ubuntu_linux | 18.04 |
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | 3.9 | 1.4 |
| security@php.net | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-281,CWE-281,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| opensuse | leap | 15.1 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 10.0 |
| debian | debian_linux | 9.0 |
| tenable | tenable.sc | * |
In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L | 3.9 | 2.5 |
| nvd@nist.gov | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L | 2.8 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 20.04 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| debian | debian_linux | 10.0 |
| canonical | ubuntu_linux | 19.10 |
| tenable | tenable.sc | * |
In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| security@php.net | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H | 2.2 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-121,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| debian | debian_linux | 10.0 |
| canonical | ubuntu_linux | 19.10 |
| canonical | ubuntu_linux | 20.04 |
| canonical | ubuntu_linux | 18.04 |
| tenable | tenable.sc | * |
In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
| nvd@nist.gov | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 2.8 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-170,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| opensuse | leap | 15.1 |
| debian | debian_linux | 8.0 |
| tenable | tenable.sc | 5.19.0 |
| debian | debian_linux | 10.0 |
| debian | debian_linux | 9.0 |
| tenable | tenable.sc | * |
In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
| security@php.net | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-196,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 10.0 |
| oracle | communications_diameter_signaling_router | * |
| debian | debian_linux | 9.0 |
| tenable | tenable.sc | * |
In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L | 2.2 | 2.5 |
| nvd@nist.gov | 3.6 | LOW | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L | 1.0 | 2.5 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-416,CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 10.0 |
| tenable | tenable.sc | * |
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2.8 | 2.5 |
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | 3.9 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-326,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| opensuse | leap | 15.2 |
| oracle | communications_diameter_signaling_router | * |
| fedoraproject | fedora | 31 |
| fedoraproject | fedora | 32 |
| canonical | ubuntu_linux | 20.04 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| netapp | clustered_data_ontap | - |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| fedoraproject | fedora | 33 |
| debian | debian_linux | 10.0 |
| tenable | tenable.sc | * |
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | 3.9 | 1.4 |
| security@php.net | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | 2.8 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-565,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| opensuse | leap | 15.2 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 31 |
| fedoraproject | fedora | 32 |
| canonical | ubuntu_linux | 20.04 |
| canonical | ubuntu_linux | 18.04 |
| php | php | * |
| netapp | clustered_data_ontap | - |
| opensuse | leap | 15.1 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| fedoraproject | fedora | 33 |
| debian | debian_linux | 10.0 |
| tenable | tenable.sc | * |
In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | clustered_data_ontap | - |
| debian | debian_linux | 10.0 |
| debian | debian_linux | 9.0 |
In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 3.9 | 1.4 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | clustered_data_ontap | - |
| debian | debian_linux | 10.0 |
| oracle | communications_diameter_signaling_router | * |
| debian | debian_linux | 9.0 |
In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 7.8 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 1.1 | 6.0 |
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-284,CWE-787,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | clustered_data_ontap | - |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 33 |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 34 |
| oracle | communications_diameter_signaling_router | * |
| debian | debian_linux | 9.0 |
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.2 | 3.6 |
| security@php.net | 5.0 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L | 1.6 | 3.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-190,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | clustered_data_ontap | - |
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | 3.9 | 1.4 |
| security@php.net | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 2.8 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | clustered_data_ontap | - |
| oracle | sd-wan_aware | 8.2 |
In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N | 1.6 | 3.6 |
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-24,CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
| security@php.net | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-159,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | clustered_data_ontap | - |
| debian | debian_linux | 11.0 |
| debian | debian_linux | 10.0 |
| tenable | tenable.sc | * |
In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L | 3.9 | 4.2 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-416,CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N | 1.8 | 5.2 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | archive_tar | * |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 33 |
| fedoraproject | fedora | 34 |
| debian | debian_linux | 9.0 |
PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection. Note: Third parties have disputed this as not affecting PHP-Memcached directly.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | memcached | * |
pearweb < 1.32 is suffers from a Weak Password Recovery Mechanism via include/users/passwordmanage.php.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-640,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | pearweb | * |
pearweb < 1.32 suffers from Deserialization of Untrusted Data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | pearweb | * |
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
| security@php.net | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-590,CWE-824,CWE-763,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 11.0 |
| debian | debian_linux | 10.0 |
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.6 | 5.9 |
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-120,CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 11.0 |
| debian | debian_linux | 10.0 |
In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 7.7 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L | 2.2 | 5.5 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 37 |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 36 |
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 37 |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 36 |
In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 3.9 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| extended_keccak_code_package_project | extended_keccak_code_package | - |
| pysha3_project | pysha3 | * |
| sha3_project | sha3 | * |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| debian | debian_linux | 10.0 |
| python | python | * |
| pypy | pypy | * |
| fedoraproject | fedora | 36 |
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| secalert@redhat.com | 6.2 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.5 | 3.6 |
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | - |
| redhat | enterprise_linux | 7.0 |
| php | php | 7.4.0 |
| redhat | enterprise_linux | 6.0 |
| php | php | 8.0.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | software_collections | - |
| php | php | 8.1.0 |
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 7.7 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 2.5 | 5.2 |
| nvd@nist.gov | 6.2 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | 2.5 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H | 1.6 | 5.9 |
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
| security@php.net | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 2.6 | LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N | 1.2 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
| security@php.net | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L | 3.9 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 38 |
In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 9.4 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L | 3.9 | 5.5 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 10.0 |
| fedoraproject | fedora | 38 |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H | 3.9 | 4.2 |
| security@php.net | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L | 2.2 | 2.5 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | 2.2 | 2.5 |
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N | 3.9 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 9.4 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L | 3.9 | 5.5 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| fedoraproject | fedora | 40 |
| fedoraproject | fedora | 39 |
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| fedoraproject | fedora | 40 |
In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| debian | debian_linux | 10.0 |
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| golang | go | * |
| rust-lang | rust | 1.77.2 |
| yt-dlp_project | yt-dlp | * |
| nodejs | node.js | * |
| haskell | process_library | 1.6.19.0 |
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| fedoraproject | fedora | 40 |
| fedoraproject | fedora | 39 |
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | 3.9 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| fedoraproject | fedora | 40 |
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 7.7 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L | 2.2 | 5.5 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| fedoraproject | fedora | 40 |
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 3.1 | LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N | 1.6 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php-fpm | php-fpm | * |
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 5.8 | MEDIUM | CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N | 1.3 | 4.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | ontap | 9 |
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | 1.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.1 | LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N | 1.6 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | 3.9 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N | 2.2 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| php | php | 8.5.0 |
In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H | 2.2 | 4.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | 3.9 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | ontap | 9 |
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.2 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 3.9 | 3.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | ontap | 9 |
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
| netapp | ontap | 9 |
In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security@php.net | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.2 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | php | * |
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | frankenphp | * |
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| php | frankenphp | * |