MidnightBSD

Advisories for php

CVE-1999-0058 HIGH

Buffer overflow in PHP cgi program, php.cgi allows shell access.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 2.0b10
php php 1.0
CVE-1999-0068 HIGH

CGI PHP mylog script allows an attacker to read any file on the target server.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 2.0
php php 2.0b10
php php 1.0
CVE-1999-0238 HIGH

php.cgi allows attackers to read any file on the system.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 2.0
php php 2.0b10
php php 1.0
CVE-1999-0346 MEDIUM

CGI PHP mlog script allows an attacker to read any file on the target server.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php_fi *
CVE-2000-0059 HIGH

PHP3 with safe_mode enabled does not properly filter shell metacharacters from commands that are executed by popen, which could allow remote attackers to execute commands.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 3.0.5
php php 3.0.6
php php 3.0.3
php php 3.0.7
php php 3.0.13
php php 3.0.10
php php 3.0.12
php php 3.0.9
php php 3.0.2
php php 3.0.8
php php 3.0.4
php php 3.0.11
php php 3.0
php php 3.0.1
CVE-2000-0860 MEDIUM

The file upload capability in PHP versions 3 and 4 allows remote attackers to read arbitrary files by setting hidden form fields whose names match the names of internal PHP script variables.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0
php php 3.0.5
php php 2.0b10
php php 3.0.6
php php 3.0.3
php php 1.0
php php 3.0.7
php php 3.0.13
php php 3.0.10
php php 3.0.12
php php 3.0.9
php php 3.0.2
php php 3.0.8
php php 2.0
php php 3.0.4
php php 3.0.11
php php 3.0
php php 3.0.1
CVE-2000-0967 HIGH

PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that are improperly written to the error logs.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0
php php 3.0
CVE-2001-0108 MEDIUM

PHP Apache module 4.0.4 and earlier allows remote attackers to bypass .htaccess access restrictions via a malformed HTTP request on an unrestricted page that causes PHP to use those access controls on the next page that is requested.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0
php php 4.0.3
mandrakesoft mandrake_linux 7.2
php php 4.0.4
php php 4.0.1
CVE-2001-1246 HIGH

PHP 4.0.5 through 4.1.0 in safe mode does not properly cleanse the 5th parameter to the mail() function, which allows local users and possibly remote attackers to execute arbitrary commands via shell metacharacters.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-88,

Products Affected

Vendor Product Version
php php *
CVE-2001-1247 MEDIUM

PHP 4.0.4pl1 and 4.0.5 in safe mode allows remote attackers to read and write files owned by the web server UID by uploading a PHP script that uses the error_log function to access the files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
php php 4.0.5
php php 4.0.4pl1
CVE-2001-1385 MEDIUM

The Apache module for PHP 4.0.0 through PHP 4.0.4, when disabled with the 'engine = off' option for a virtual host, may disable PHP for other virtual hosts, which could cause Apache to serve the source code of PHP scripts.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0
php php 4.0.3
mandrakesoft mandrake_linux 7.2
php php 4.0.4
php php 4.0.1
CVE-2002-0081 HIGH

Buffer overflows in (1) php_mime_split in PHP 4.1.0, 4.1.1, and 4.0.6 and earlier, and (2) php3_mime_split in PHP 3.0.x allows remote attackers to execute arbitrary code via a multipart/form-data HTTP POST request when file_uploads is enabled.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.1.1
php php 4.1.0
php php 4.0.6
php php 3.0
CVE-2002-0121 LOW

PHP 4.0 through 4.1.1 stores session IDs in temporary files whose name contains the session ID, which allows local users to hijack web connections.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 4.1.0
php php 4.0.4
php php 4.0.6
php php 4.1.2
CVE-2002-0229 HIGH

Safe Mode feature (safe_mode) in PHP 3.0 through 4.1.0 allows attackers with access to the MySQL database to bypass Safe Mode access restrictions and read arbitrary files using "LOAD DATA INFILE LOCAL" SQL statements.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0
php php 3.0.5
php php 4.0.5
php php 3.0.16
php php 3.0.6
php php 3.0.3
php php 3.0.7
php php 3.0.13
php php 3.0.10
php php 3.0.12
php php 4.1.2
php php 3.0.9
php php 3.0.2
php php 3.0.8
php php 4.0.3
php php 4.1.0
php php 4.0.4
php php 4.0.1
php php 3.0.4
php php 4.0.6
php php 3.0.11
php php 3.0
php php 3.0.1
CVE-2002-0253 MEDIUM

PHP, when not configured with the "display_errors = Off" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive to fail, and produces an error message that contains the path.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0
php php 4.0.5
php php 4.0.3
php php 4.1.0
php php 4.0.4
php php 4.0.1
php php 4.0.6
php php 4.1.2
CVE-2002-0484 MEDIUM

move_uploaded_file in PHP does not does not check for the base directory (open_basedir), which could allow remote attackers to upload files to unintended locations on the system.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.18
php php 4.1.1
php php 3.0.16
php php 3.0.17
php php 3.0.6
php php 3.0.13
php php 3.0.12
php php 4.1.2
php php 3.0.9
php php 3.0.2
php php 4.1.0
php php 4.0.2
php php 4.0.1
php php 3.0
php php 4.0
php php 3.0.5
php php 3.0.3
php php 3.0.14
php php 3.0.7
php php 3.0.10
php php 4.0.7
php php 3.0.15
php php 3.0.8
php php 4.0.3
php php 4.0.4
php php 3.0.4
php php 4.0.6
php php 3.0.11
php php 3.0.1
CVE-2002-0717 HIGH

PHP 4.2.0 and 4.2.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP POST request with certain arguments in a multipart/form-data form, which generates an error condition that is not properly handled and causes improper memory to be freed.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.2.0
php php 4.2.1
CVE-2002-0985 HIGH

Argument injection vulnerability in the mail function for PHP 4.x to 4.2.2 may allow attackers to bypass safe mode restrictions and modify command line arguments to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing commands.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-88,

Products Affected

Vendor Product Version
php php *
openpkg openpkg 1.2
openpkg openpkg 1.1
CVE-2002-0986 MEDIUM

The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a "spam proxy."

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0
php php 4.0.5
php php 3.0.18
php php 4.1.1
php php 4.2.0
php php 4.0.7
php php 4.1.2
php php 4.2.2
php php 4.0.3
php php 4.2.1
php php 4.1.0
php php 4.0.2
php php 4.0.4
php php 4.0.1
php php 4.0.6
CVE-2002-1396 HIGH

Heap-based buffer overflow in the wordwrap function in PHP after 4.1.2 and before 4.3.0 may allow attackers to cause a denial of service or execute arbitrary code.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.2.0
php php 4.2.1
php php 4.1.2
php php 4.2.3
php php 4.2.2
CVE-2002-1783 MEDIUM

CRLF injection vulnerability in PHP 4.2.1 through 4.2.3, when allow_url_fopen is enabled, allows remote attackers to modify HTTP headers for outgoing requests by causing CRLF sequences to be injected into arguments that are passed to the (1) fopen or (2) file functions.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.18
php php 4.1.1
php php 3.0.16
php php 3.0.17
php php 4.2.0
php php 3.0.14
php php 4.0.7
php php 4.1.2
php php 3.0.15
php php 4.2.2
php php 4.0.3
php php 4.2.1
php php 4.1.0
php php 4.0.4
php php 4.0.6
php php 4.2.3
CVE-2002-1954 MEDIUM

Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.2.3 allows remote attackers to inject arbitrary web script or HTML via the query string argument, as demonstrated using soinfo.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.2.3
CVE-2002-2175 MEDIUM

phpSquidPass before 0.2 uses an incomplete regular expression to find a matching username in its database, which allows remote authenticated attackers to effectively delete other usernames via a short username that matches the end of the targeted username.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php phpsquidpass *
CVE-2002-2214 MEDIUM

The php_if_imap_mime_header_decode function in the IMAP functionality in PHP before 4.2.2 allows remote attackers to cause a denial of service (crash) via an e-mail header with a long "To" header.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.2.0
php php 4.2.1
php php 4.2
CVE-2002-2215 MEDIUM

The imap_header function in the IMAP functionality for PHP before 4.3.0 allows remote attackers to cause a denial of service via an e-mail message with a large number of "To" addresses, which triggers an error in the rfc822_write_address function.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.18
php php 4.1.1
php php 3.0.16
php php 3.0.17
php php 3.0.6
php php 3.0.13
php php 3.0.12
php php 4.2
php php 4.1.2
php php 4.2.2
php php *
php php 3.0.9
php php 3.0.2
php php 4.1.0
php php 4.0.2
php php 4.0.1
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 3.0.3
php php 3.0.14
php php 3.0.7
php php 3.0.10
php php 4.0.7
php php 3.0.15
php php 3.0.8
php php 4.0.3
php php 4.2.1
php php 4.0.4
php php 3.0.4
php php 4.0.6
php php 3.0.11
php php 3.0.1
CVE-2002-2309 HIGH

php.exe in PHP 3.0 through 4.2.2, when running on Apache, does not terminate properly, which allows remote attackers to cause a denial of service via a direct request without arguments.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.18
php php 4.1.1
php php 3.0.16
php php 3.0.17
php php 3.0.6
php php 3.0.13
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 3.0.9
php php 3.0.2
php php 4.1.0
php php 4.0.2
php php 4.0.1
php php 4.0
php php 3.0.5
php php 4.2.0
php php 3.0.3
php php 3.0.14
php php 3.0.7
php php 3.0.10
php php 4.0.7
php php 3.0.15
php php 3.0.8
php php 4.0.3
php php 4.2.1
php php 4.0.4
php php 3.0.4
php php 4.0.6
php php 3.0.11
php php 3.0.1
CVE-2003-0097 HIGH

Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to access arbitrary files as the PHP user, and possibly execute PHP code, by bypassing the CGI force redirect settings (cgi.force_redirect or --enable-force-cgi-redirect).

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.3.0
CVE-2003-0166 HIGH

Integer signedness error in emalloc() function for PHP before 4.3.2 allow remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via negative arguments to functions such as (1) socket_recv, (2) socket_recvfrom, and possibly other functions.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0
php php 4.0.5
php php 4.1.1
php php 4.2.0
php php 4.0.7
php php 4.1.2
php php 4.3.0
php php 4.2.2
php php 4.0.3
php php 4.2.1
php php 4.1.0
php php 4.3.1
php php 4.0.2
php php 4.0.4
php php 4.0.1
php php 4.0.6
php php 4.2.3
CVE-2003-0172 HIGH

Buffer overflow in openlog function for PHP 4.3.1 on Windows operating system, and possibly other OSes, allows remote attackers to cause a crash and possibly execute arbitrary code via a long filename argument.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.3.1
CVE-2003-0249 HIGH

PHP treats unknown methods such as "PoSt" as a GET request, which could allow attackers to intended access restrictions if PHP is running on a server that passes on all methods, such as Apache httpd 2.0, as demonstrated using a Limit directive. NOTE: this issue has been disputed by the Apache security team, saying "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.4.6
CVE-2003-0442 MEDIUM

Cross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php *
redhat linux 9.0
redhat linux 8.0
CVE-2003-0860 HIGH

Buffer overflows in PHP before 4.3.3 have unknown impact and unknown attack vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0
php php 4.0.5
php php 4.1.1
php php 4.2.0
php php 4.3.2
php php 4.0.7
php php 4.2
php php 4.1.2
php php 4.3.0
php php 4.2.2
php php 4.0.3
php php 4.2.1
php php 4.1.0
php php 4.3.1
php php 4.0.2
php php 4.0.4
php php 4.0.1
php php 4.0.6
php php 4.2.3
CVE-2003-0861 HIGH

Integer overflows in (1) base64_encode and (2) the GD library for PHP before 4.3.3 have unknown impact and unknown attack vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0
php php 4.0.5
php php 4.1.1
php php 4.2.0
php php 4.3.2
php php 4.0.7
php php 4.2
php php 4.1.2
php php 4.3.0
php php 4.2.2
php php 4.0.3
php php 4.2.1
php php 4.1.0
php php 4.3.1
php php 4.0.2
php php 4.0.4
php php 4.0.1
php php 4.0.6
php php 4.2.3
CVE-2003-0863 HIGH

The php_check_safe_mode_include_dir function in fopen_wrappers.c of PHP 4.3.x returns a success value (0) when the safe_mode_include_dir variable is not specified in configuration, which differs from the previous failure value and may allow remote attackers to exploit file include vulnerabilities in PHP applications.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.3.2
php php 4.3.1
php php 4.3.0
CVE-2003-1302 MEDIUM

The IMAP functionality in PHP before 4.3.1 allows remote attackers to cause a denial of service via an e-mail message with a (1) To or (2) From header with an address that contains a large number of "\" (backslash) characters.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.2.0
php php 4.2.1
php php 4.2
php php 4.2.3
php php 4.3.0
php php 4.2.2
CVE-2003-1303 MEDIUM

Buffer overflow in the imap_fetch_overview function in the IMAP functionality (php_imap.c) in PHP before 4.3.3 allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a long e-mail address in a (1) To or (2) From header.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.3.2
php php 4.3.1
php php 4.3.0
CVE-2004-0542 HIGH

PHP before 4.3.7 on Win32 platforms does not properly filter all shell metacharacters, which allows local or remote attackers to execute arbitrary code, overwrite files, and access internal environment variables via (1) the "%", "|", or ">" characters to the escapeshellcmd function, or (2) the "%" character to the escapeshellarg function.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
php php *
CVE-2004-0594 MEDIUM

The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-367,

Products Affected

Vendor Product Version
trustix secure_linux 2.0
debian debian_linux 3.0
php php 5.0.0
trustix secure_linux 2.1
hp hp-ux b.11.11
hp hp-ux b.11.00
openpkg openpkg 2.1
hp hp-ux b.11.23
php php *
trustix secure_linux 1.5
hp hp-ux b.11.22
openpkg openpkg 2.0
avaya converged_communications_server 2.0
CVE-2004-0595 MEDIUM

The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
trustix secure_linux 2.0
php php 4.0.5
php php 4.1.1
avaya s8700 r2.0.1
trustix secure_linux 2.1
php php 4.3.5
php php 4.1.2
php php 4.2.2
redhat fedora_core core_2.0
trustix secure_linux 1.5
avaya s8300 r2.0.1
php php 4.1.0
avaya s8700 r2.0.0
php php 4.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 4.0
php php 4.2.0
php php 4.3.6
php php 4.3.2
avaya integrated_management *
php php 4.3.3
php php 4.0.7
php php 5.0
php php 4.3.0
avaya s8500 r2.0.0
php php 4.0.3
php php 4.2.1
avaya s8300 r2.0.0
php php 4.3.1
redhat fedora_core core_1.0
php php 4.0.4
avaya s8500 r2.0.1
php php 4.0.6
avaya converged_communications_server 2.0
CVE-2004-0958 MEDIUM

php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php *
CVE-2004-0959 LOW

rfc1867.c in PHP before 5.0.2 allows local users to upload files to arbitrary locations via a PHP script with a certain MIME header that causes the "$_FILES" array to be modified.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php *
CVE-2004-1018 HIGH

Multiple integer handling errors in PHP before 4.3.10 allow attackers to bypass safe mode restrictions, cause a denial of service, or execute arbitrary code via (1) a negative offset value to the shmop_write function, (2) an "integer overflow/underflow" in the pack function, or (3) an "integer overflow/underflow" in the unpack function. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 4.10
CVE-2004-1019 HIGH

The deserialization code in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to cause a denial of service and execute arbitrary code via untrusted data to the unserialize function that may trigger "information disclosure, double-free and negative reference index array underflow" results.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
trustix secure_linux 2.0
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 3.0.12
php php 4.1.2
php php 4.2.2
openpkg openpkg 2.1
php php 3.0.9
php php 3.0.2
php php 4.0.2
php php 4.3.2
php php 3.0.14
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 3.0.15
php php 3.0.8
openpkg openpkg 2.2
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
openpkg openpkg current
php php 3.0.18
php php 4.1.1
php php 5.0.0
trustix secure_linux 2.1
php php 3.0.13
php php 4.2
php php 4.1.0
php php 5.0.2
php php 4.0.1
ubuntu ubuntu_linux 4.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 3.0.3
php php 3.0.7
trustix secure_linux 2.2
php php 4.0.7
php php 5.0
php php 4.3.0
php php 4.0.3
php php 4.2.1
php php 4.3.1
php php 4.0.6
php php 3.0.11
php php 4.3.8
CVE-2004-1020 MEDIUM

The addslashes function in PHP 4.3.9 does not properly escape a NULL (/0) character, which may allow remote attackers to read arbitrary files in PHP applications that contain a directory traversal vulnerability in require or include statements, but are otherwise protected by the magic_quotes_gpc mechanism. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.0.0
php php 4.3.6
php php 5.0.2
php php 4.3.7
php php 5.0.1
php php 4.3.9
php php 5.0
php php 4.3.8
CVE-2004-1063 HIGH

PHP 4.x to 4.3.9, and PHP 5.x to 5.0.2, when running in safe mode on a multithreaded Unix webserver, allows local users to bypass safe_mode_exec_dir restrictions and execute commands outside of the intended safe_mode_exec_dir via shell metacharacters in the current directory name. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 4.10
CVE-2004-1064 HIGH

The safe mode checks in PHP 4.x to 4.3.9 and PHP 5.x to 5.0.2 truncate the file path before passing the data to the realpath function, which could allow attackers to bypass safe mode. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 4.10
CVE-2004-1065 HIGH

Buffer overflow in the exif_read_data function in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to execute arbitrary code via a long section name in an image file.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
trustix secure_linux 2.0
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 3.0.12
php php 4.1.2
php php 4.2.2
openpkg openpkg 2.1
php php 3.0.9
php php 3.0.2
php php 4.0.2
php php 4.3.2
php php 3.0.14
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 3.0.15
php php 3.0.8
openpkg openpkg 2.2
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
openpkg openpkg current
php php 3.0.18
php php 4.1.1
php php 5.0.0
trustix secure_linux 2.1
php php 3.0.13
php php 4.2
php php 4.1.0
php php 5.0.2
php php 4.0.1
ubuntu ubuntu_linux 4.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 3.0.3
php php 3.0.7
trustix secure_linux 2.2
php php 4.0.7
php php 5.0
php php 4.3.0
php php 4.0.3
php php 4.2.1
php php 4.3.1
php php 4.0.6
php php 3.0.11
php php 4.3.8
CVE-2004-1392 MEDIUM

PHP 4.0 with cURL functions allows remote attackers to bypass the open_basedir setting and read arbitrary files via a file: URL argument to the curl_init function.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0
php php 4.0.5
php php 4.0.3
php php 4.0.2
php php 4.0.4
php php 4.0.1
php php 4.0.6
php php 4.0.7
CVE-2005-0524 MEDIUM

The php_handle_iff function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a -8 size value.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.0.3
php php 4.3.10
php php 4.3.9
php php 4.2.2
CVE-2005-0525 MEDIUM

The php_next_marker function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a JPEG image with an invalid marker value, which causes a negative length value to be passed to php_stream_seek.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.0.3
php php 4.3.10
php php 4.3.9
php php 4.2.2
CVE-2005-0596 LOW

PHP 4 (PHP4) allows attackers to cause a denial of service (daemon crash) by using the readfile function on a file whose size is a multiple of the page size.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0
CVE-2005-1042 HIGH

Integer overflow in the exif_process_IFD_TAG function in exif.c in PHP before 4.3.11 may allow remote attackers to execute arbitrary code via an IFD tag that leads to a negative byte count.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.3.6
php php 4.3.2
php php 4.3.4
php php 4.3.5
php php 4.3.1
php php 4.3.3
php php 4.3.7
php php 4.3.10
php php 4.3.9
php php 4.3.0
php php 4.3.8
CVE-2005-1043 MEDIUM

exif.c in PHP before 4.3.11 allows remote attackers to cause a denial of service (memory consumption and crash) via an EXIF header with a large IFD nesting level, which causes significant stack recursion.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
suse suse_linux 6.4
apple mac_os_x 10.4
php php 4.3.4
php php 4.3.5
suse suse_linux 3.0
suse suse_linux 4.4
apple mac_os_x 10.3.9
suse suse_linux 6.1
suse suse_linux 9.3
suse suse_linux 9.2
suse suse_linux 8.2
suse suse_linux 8.0
php php 4.3.2
suse suse_linux 7.2
suse suse_linux 4.0
php php 4.3.3
apple mac_os_x_server 10.3.9
suse suse_linux 6.3
suse suse_linux 5.0
suse suse_linux 5.2
peachtree peachtree_linux release_1
php php 4.3.9
suse suse_linux 8.1
suse suse_linux 9.1
suse suse_linux 6.2
suse suse_linux 5.1
suse suse_linux 6.0
suse suse_linux 4.2
php php 4.3.7
suse suse_linux 7.0
suse suse_linux 4.4.1
php php 4.3.6
suse suse_linux 2.0
conectiva linux 9.0
conectiva linux 10.0
suse suse_linux 4.3
php php 4.3.10
apple mac_os_x_server 10.4
suse suse_linux 1.0
php php 4.3.0
apple mac_os_x_server 10.4.1
apple mac_os_x 10.4.1
php php 4.3.1
suse suse_linux 7.3
suse suse_linux 5.3
sgi propack 3.0
suse suse_linux 9.0
php php 4.3.8
suse suse_linux 7.1
CVE-2005-1921 HIGH

Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
debian debian_linux 3.1
gggeek phpxmlrpc *
drupal drupal *
php xml_rpc *
tiki tikiwiki_cms/groupware *
CVE-2005-3054 LOW

fopen_wrappers.c in PHP 4.4.0, and possibly other versions, does not properly restrict access to other directories when the open_basedir directive includes a trailing slash, which allows PHP scripts in one directory to access files in other directories whose names are substrings of the original directory.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.4.0
CVE-2005-3319 LOW

The apache2handler SAPI (sapi_apache2.c) in the Apache module (mod_php) for PHP 5.x before 5.1.0 final and 4.4 before 4.4.1 final allows attackers to cause a denial of service (segmentation fault) via the session.save_path option in a .htaccess file or VirtualHost.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 4.1.1
php php 5.0.0
php php 4.3.4
php php 4.3.5
php php 4.2
php php 4.1.2
php php 4.2.2
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 5.0.3
php php 4.0.0
php php 4.2.0
php php 4.3.6
php php 4.3.2
php php 4.3.3
php php 4.3.10
php php 5.0.1
php php 4.0.7
php php 5.0
php php 4.3.0
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 4.3.1
php php 4.0.4
php php 4.0.6
php php 4.3.9
php php 4.3.8
CVE-2005-3353 MEDIUM

The exif_read_data function in the Exif module in PHP before 4.4.1 allows remote attackers to cause a denial of service (infinite loop) via a malformed JPEG image.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 4.1.1
php php 4.3.4
php php 4.3.5
php php 4.1.2
php php 4.2.2
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 4.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 4.0.0
php php 4.2.0
php php 4.3.6
php php 4.3.2
php php 4.3.3
php php 4.3.10
php php 4.3.0
php php 4.0.3
php php 4.2.1
php php 4.3.1
php php 4.0.4
php php 4.0.6
php php 4.3.9
php php 4.3.8
CVE-2005-3388 MEDIUM

Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a "stacked array assignment."

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 4.1.1
php php 5.0.0
php php 4.3.4
php php 4.3.5
php php 4.2
php php 4.1.2
php php 4.2.2
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 5.0.3
php php 4.0.0
php php 4.2.0
php php 4.3.6
php php 4.3.2
php php 4.3.3
php php 4.3.10
php php 5.0.1
php php 4.0.7
php php 4.3.0
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 4.3.1
php php 4.0.4
php php 4.0.6
php php 4.3.9
php php 4.3.8
CVE-2005-3389 MEDIUM

The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the register_globals directive via inputs that cause a request to be terminated due to the memory_limit setting, which causes PHP to set an internal flag that enables register_globals and allows attackers to exploit vulnerabilities in PHP applications that would otherwise be protected.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 4.1.1
php php 5.0.0
php php 4.3.4
php php 4.3.5
php php 4.2
php php 4.1.2
php php 4.2.2
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 5.0.3
php php 4.0.0
php php 4.2.0
php php 4.3.6
php php 4.3.2
php php 4.3.3
php php 4.3.10
php php 5.0.1
php php 4.0.7
php php 4.3.0
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 4.3.1
php php 4.0.4
php php 4.0.6
php php 4.3.9
php php 4.3.8
CVE-2005-3390 HIGH

The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to modify the GLOBALS array and bypass security protections of PHP applications via a multipart/form-data POST request with a "GLOBALS" fileupload field.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 3.0.9
php php 3.0.2
php php 4.0.2
php php 5.0.3
php php 4.0.0
php php 4.3.2
php php 3.0.14
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 3.0.15
php php 3.0.8
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 3.0.13
php php 4.2
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 5.0
php php 4.3.0
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 4.3.1
php php 4.0.6
php php 3.0.11
php php 4.3.8
CVE-2005-3391 HIGH

Multiple vulnerabilities in PHP before 4.4.1 allow remote attackers to bypass safe_mode and open_basedir restrictions via unknown attack vectors in (1) ext/curl and (2) ext/gd.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 3.0.9
php php 3.0.2
php php 4.0.2
php php 4.0.0
php php 4.3.2
php php 3.0.14
php php 4.3.3
php php 3.0.10
php php 3.0.15
php php 3.0.8
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 3.0.13
php php 4.2
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 4.3.0
php php 4.0.3
php php 4.2.1
php php 4.3.1
php php 4.0.6
php php 3.0.11
php php 4.3.8
CVE-2005-3392 HIGH

Unspecified vulnerability in PHP before 4.4.1, when using the virtual function on Apache 2, allows remote attackers to bypass safe_mode and open_basedir directives.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 3.0.9
php php 3.0.2
php php 4.0.2
php php 4.0.0
php php 4.3.2
php php 3.0.14
php php 4.3.3
php php 3.0.10
php php 3.0.15
php php 3.0.8
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 3.0.13
php php 4.2
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 4.3.0
php php 4.0.3
php php 4.2.1
php php 4.3.1
php php 4.0.6
php php 3.0.11
php php 4.3.8
CVE-2005-3883 MEDIUM

CRLF injection vulnerability in the mb_send_mail function in PHP before 5.1.0 might allow remote attackers to inject arbitrary e-mail headers via line feeds (LF) in the "To" address argument.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.1.1
php php 5.0.0
php php 4.3.4
php php 4.3.5
php php 4.2
php php 4.1.2
php php 4.2.2
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.3.7
php php 4.2.3
php php 5.0.3
php php 4.2.0
php php 4.3.6
php php 4.3.2
php php 4.4.1
php php 4.3.3
php php 4.3.10
php php 5.0.1
php php 4.0.7
php php 5.0
php php 4.3.0
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 4.3.1
php php 4.0.6
php php 4.3.9
php php 4.3.8
CVE-2005-4154 MEDIUM

Unspecified vulnerability in PEAR installer 1.4.2 and earlier allows user-assisted attackers to execute arbitrary code via a crafted package that can execute code when the pear command is executed or when the Web/Gtk frontend is loaded.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
php pear 1.3.3
php pear 1.0
php pear 1.3.6
php pear *
php pear 1.1
php pear 1.3
php pear 1.3.4
php pear 0.90
php pear 1.4.0
php pear 1.2.1
php pear 0.10
php pear 0.11
php pear 1.3.3.1
php pear 1.4.1
php pear 1.2
php pear 1.3.5
php pear 0.9
php pear 1.0.1
php pear 1.3.1
CVE-2006-0097 HIGH

Stack-based buffer overflow in the create_named_pipe function in libmysql.c in PHP 4.3.10 and 4.4.x before 4.4.3 for Windows allows attackers to execute arbitrary code via a long (1) arg_host or (2) arg_unix_socket argument, as demonstrated by a long named pipe variable in the host argument to the mysql_connect function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 4.4.0
php php 4.4.1
php php 4.4.2
php php 4.3.10
CVE-2006-0144 HIGH

The proxy server feature in go-pear.php in PHP PEAR 0.2.2, as used in Apache2Triad, allows remote attackers to execute arbitrary PHP code by redirecting go-pear.php to a malicious proxy server that provides a modified version of Tar.php with a malicious extractModify function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
php pear 0.2.2
apache2triad apache2triad *
CVE-2006-0200 HIGH

Format string vulnerability in the error-reporting feature in the mysqli extension in PHP 5.1.0 and 5.1.1 might allow remote attackers to execute arbitrary code via format string specifiers in MySQL error messages.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-134,

Products Affected

Vendor Product Version
php php 5.1.0
php php 5.1.1
CVE-2006-0207 MEDIUM

Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
php php 5.0.0
php php 5.1.0
php php 5.0.3
php php 5.0.4
php php 5.0.5
php php 5.1.1
php php 5.0.2
php php 5.0.1
php php 5.0
CVE-2006-0208 LOW

Multiple cross-site scripting (XSS) vulnerabilities in PHP 4.4.1 and 5.1.1, when display_errors and html_errors are on, allow remote attackers to inject arbitrary web script or HTML via inputs to PHP applications that are not filtered when they are included in the resulting error message.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
php php 4.0.5
php php 4.1.1
php php 5.0.0
php php 4.3.4
php php 4.3.5
php php 4.1.2
php php 4.2.2
php php 5.1.0
php php 4.3.11
php php 4.1.0
php php 5.0.2
php php 4.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 4.0
php php 5.0.3
php php 4.0.0
php php 4.2.0
php php 4.3.6
php php 4.3.2
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 4.3.10
php php 5.0.1
php php 4.3.0
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 5.1.1
php php 4.3.1
php php 4.0.4
php php 4.0.6
php php 4.3.9
php php 4.3.8
CVE-2006-0996 MEDIUM

Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2 and 4.4.2 allows remote attackers to inject arbitrary web script or HTML via long array variables, including (1) a large number of dimensions or (2) long values, which prevents HTML tags from being removed.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
php php 5.1.2
php php 4.4.2
CVE-2006-1014 LOW

Argument injection vulnerability in certain PHP 4.x and 5.x applications, when used with sendmail and when accepting remote input for the additional_parameters argument to the mb_send_mail function, allows context-dependent attackers to read and create arbitrary files by providing extra -C and -X arguments to sendmail. NOTE: it could be argued that this is a class of technology-specific vulnerability, instead of a particular instance; if so, then this should not be included in CVE.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.0.0
php php 5.0.3
php php 4.0.0
php php 4.3.6
php php 4.3.4
php php 4.3.5
php php 4.4.1
php php 4.3.3
php php 4.3.10
php php 5.0.1
php php 4.2
php php 5.0
php php 5.1.0
php php 4.3.11
php php 5.0.4
php php 4.4.0
php php 5.0.5
php php 5.0.2
php php 4.3.7
php php 4.3.9
php php 4.3.8
CVE-2006-1015 MEDIUM

Argument injection vulnerability in certain PHP 3.x, 4.x, and 5.x applications, when used with sendmail and when accepting remote input for the additional_parameters argument to the mail function, allows remote attackers to read and create arbitrary files via the sendmail -C and -X arguments. NOTE: it could be argued that this is a class of technology-specific vulnerability, instead of a particular instance; if so, then this should not be included in CVE.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.1.2
php php 4.0.2
php php 5.0.3
php php 4.0.0
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 3.0.15
php php 3.0.8
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 3.0.13
php php 4.2
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 5.0
php php 4.3.0
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 4.3.1
php php 4.0.6
php php 3.0.11
php php 4.3.8
CVE-2006-1017 HIGH

The c-client library 2000, 2001, or 2004 for PHP before 4.4.4 and 5.x before 5.1.5 do not check the (1) safe_mode or (2) open_basedir functions, and when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attackers to obtain access to an IMAP stream data structure and conduct unauthorized IMAP actions.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.0.3
php php 4.0.0
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 3.0.15
php php 3.0.8
php php 4.4.3
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 3.0.13
php php 4.2
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 5.0
php php 4.3.0
php php 5.1.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 4.3.1
php php 4.0.6
php php 3.0.11
php php 4.3.8
CVE-2006-1490 MEDIUM

PHP before 5.1.3-RC1 might allow remote attackers to obtain portions of memory via crafted binary data sent to a script that processes user input in the html_entity_decode function and sends the encoded results back to the client, aka a "binary safety" issue. NOTE: this issue has been referred to as a "memory leak," but it is an information leak that discloses memory contents.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.1.2
php php 4.0.2
php php 5.0.3
php php 4.0.0
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 3.0.15
php php 3.0.8
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 3.0.13
php php 4.2
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 5.0
php php 4.3.0
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 4.3.1
php php 4.0.6
php php 3.0.11
php php 4.3.8
CVE-2006-1494 LOW

Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 4.1.1
php php 5.0.0
php php 4.3.4
php php 4.3.5
php php 4.2
php php 4.1.2
php php 4.2.2
php php 5.1.0
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 5.1.2
php php 4.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 4.0
php php 5.0.3
php php 4.0.0
php php 4.2.0
php php 4.3.6
php php 4.3.2
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 4.3.10
php php 5.0.1
php php 4.0.7
php php 5.0
php php 4.3.0
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 5.1.1
php php 4.3.1
php php 4.0.4
php php 4.0.6
php php 4.3.9
php php 4.3.8
CVE-2006-1549 LOW

PHP 4.4.2 and 5.1.2 allows local users to cause a crash (segmentation fault) by defining and executing a recursive function. NOTE: it has been reported by a reliable third party that some later versions are also affected.

CVSS 2.0

Severity: LOW

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 5.1.2
php php 4.4.2
CVE-2006-1558 MEDIUM

Cross-site scripting (XSS) vulnerability in search.php in PHP Script Index allows remote attackers to inject arbitrary web script or HTML via the search parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php_script_index *
CVE-2006-1559 HIGH

SQL injection vulnerability in PHP Script Index allows remote attackers to execute arbitrary SQL commands via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php_script_index *
CVE-2006-1608 LOW

The copy function in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass safe mode and read arbitrary files via a source argument containing a compress.zlib:// URI.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 4.1.1
php php 5.0.0
php php 4.3.4
php php 4.3.5
php php 4.2
php php 4.1.2
php php 4.2.2
php php 5.1.0
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 5.1.2
php php 4.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 4.0
php php 5.0.3
php php 4.0.0
php php 4.2.0
php php 4.3.6
php php 4.3.2
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 4.3.10
php php 5.0.1
php php 4.0.7
php php 5.0
php php 4.3.0
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 5.1.1
php php 4.3.1
php php 4.0.4
php php 4.0.6
php php 4.3.9
php php 4.3.8
CVE-2006-1990 MEDIUM

Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.1.2
php php 4.4.2
CVE-2006-1991 MEDIUM

The substr_compare function in string.c in PHP 5.1.2 allows context-dependent attackers to cause a denial of service (memory access violation) via an out-of-bounds offset argument.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 5.1.2
CVE-2006-2419 MEDIUM

Cross-site scripting (XSS) vulnerability in index.php in Directory Listing Script allows remote attackers to inject arbitrary web script or HTML via the dir parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php directory_listing_script *
CVE-2006-2563 LOW

The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to bypass safe mode and read files via a file:// request containing null characters.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.1.4
php php 4.4.2
CVE-2006-2660 LOW

Buffer consumption vulnerability in the tempnam function in PHP 5.1.4 and 4.x before 4.4.3 allows local users to bypass restrictions and create PHP files with fixed names in other directories via a pathname argument longer than MAXPATHLEN, which prevents a unique string from being appended to the filename.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 4.1.1
php php 4.3.4
php php 4.3.5
php php 4.1.2
php php 4.2.2
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.1.4
php php 4.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 4.0.0
php php 4.2.0
php php 4.3.6
php php 4.3.2
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 4.3.10
php php 4.3.0
php php 4.0.3
php php 4.4.3
php php 4.2.1
php php 4.3.1
php php 4.0.4
php php 4.3.9
php php 4.3.8
CVE-2006-3011 MEDIUM

The error_log function in basic_functions.c in PHP before 4.4.4 and 5.x before 5.1.5 allows local users to bypass safe mode and open_basedir restrictions via a "php://" or other scheme in the third argument, which disables safe mode.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php *
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.0.3
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 3.0.15
php php 3.0.8
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 3.0.13
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 5.1.6
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 4.3.0
php php 5.1.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 4.3.1
php php 4.0.6
php php 3.0.11
php php 4.3.8
CVE-2006-3017 HIGH

zend_hash_del_key_or_index in zend_hash.c in PHP before 4.4.3 and 5.x before 5.1.3 can cause zend_hash_del to delete the wrong element, which prevents a variable from being unset even when the PHP unset function is called, which might cause the variable's value to be used in security-relevant operations.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php *
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.1.2
php php 4.0.2
php php 5.0.3
php php 4.0.0
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 3.0.15
php php 3.0.8
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 3.0.13
php php 4.2
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 3.0.3
php php pl1
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 5.0
php php 4.3.0
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 4.3.1
php php 4.0.6
php php 3.0.11
php php 4.3.8
CVE-2006-4020 MEDIUM

scanf.c in PHP 5.1.4 and earlier, and 4.4.3 and earlier, allows context-dependent attackers to execute arbitrary code via a sscanf PHP function call that performs argument swapping, which increments an index past the end of an array and triggers a buffer over-read.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 4.1.1
php php 5.0.0
php php 4.3.4
php php 4.3.5
php php 4.2
php php 4.1.2
php php 4.2.2
php php 5.1.0
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.1.4
php php 5.0.2
php php 5.1.2
php php 4.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 4.0
php php 5.0.3
php php 4.0.0
php php 4.2.0
php php 4.3.6
php php 4.3.2
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 4.3.10
php php 5.0.1
php php 4.0.7
php php 5.0
php php 4.3.0
php php 4.0.3
php php 4.4.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 5.1.1
php php 4.3.1
php php 4.0.4
php php 4.0.6
php php 4.3.9
php php 4.3.8
CVE-2006-6541 HIGH

PHP remote file inclusion vulnerability in signer/final.php in warez distributions of Animated Smiley Generator allows remote attackers to execute arbitrary PHP code via a URL in the smiley parameter. NOTE: the vendor disputes this issue, stating that only Warez versions of Animated Smiley Generator were affected, not the developer-provided software: "Legitimately purchased applications do not allow this exploit.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php animated_smiley_generator *
CVE-2006-7204 LOW

The imap_body function in PHP before 4.4.4 does not implement safemode or open_basedir checks, which allows local users to read arbitrary files or list arbitrary directory contents.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php *
CVE-2006-7243 MEDIUM

PHP before 5.3.4 accepts the \0 character in a pathname, which might allow context-dependent attackers to bypass intended access restrictions by placing a safe file extension after this character, as demonstrated by .php\0.jpg at the end of the argument to the file_exists function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 5.3.2
php php *
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.3
php php 2.0
php php 5.2.13
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 5.2.10
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 4.4.3
php php 5.2.9
php php 5.2.15
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 5.2.6
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 5.2.0
php php 4.3.1
php php 4.4.5
php php 5.2.17
php php 4.4.8
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
CVE-2007-1285 MEDIUM

The Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows remote attackers to cause a denial of service (stack exhaustion and PHP crash) via deeply nested arrays, which trigger deep recursion in the variable destruction routines.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 3.0
suse linux_enterprise_server 10
redhat enterprise_linux_desktop 3.0
redhat enterprise_linux_server 2.0
novell suse_linux 10.0
redhat enterprise_linux_server 4.0
canonical ubuntu_linux 7.10
suse linux_enterprise_server 8
redhat enterprise_linux_workstation 3.0
php php *
redhat enterprise_linux_workstation 2.0
novell suse_linux 10.1
redhat enterprise_linux_workstation 4.0
redhat enterprise_linux_desktop 4.0
CVE-2007-1399 HIGH

Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP 1.8.3 and earlier, as bundled with PHP 5.2.0 and 5.2.1, allows remote attackers to execute arbitrary code via a long zip:// URL, as demonstrated by actively triggering URL access from a remote PHP interpreter via avatar upload or blog pingback.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
pecl_zip 1.8.3 *
php php 5.2.1
php php 5.2.0
pierrejoye php_zip *
CVE-2007-2728 MEDIUM

The soap extension in PHP calls php_rand_r with an uninitialized seed variable, which has unknown impact and attack vectors, a related issue to the mcrypt_create_iv issue covered by CVE-2007-2727. Note: The PHP team argue that this is not a valid security issue.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
php php -
canonical ubuntu_linux 6.10
canonical ubuntu_linux 7.04
canonical ubuntu_linux 6.06
CVE-2007-2872 MEDIUM

Multiple integer overflows in the chunk_split function in PHP 5 before 5.2.3 and PHP 4 before 4.4.8 allow remote attackers to cause a denial of service (crash) or execute arbitrary code via the (1) chunks, (2) srclen, and (3) chunklen arguments.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 5.0.0
php php 5.0.3
php php 5.1.6
php php 5.2.1
php php 5.2.2
php php 5.0.1
php php *
php php 5.1.0
php php 5.1.3
php php 5.1.5
php php 5.0.4
php php 5.0.5
php php 5.1.1
php php 5.2.0
php php 5.1.4
php php 5.0.2
php php 5.1.2
CVE-2008-0599 HIGH

The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-131,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 8.04
fedoraproject fedora 9
apple mac_os_x_server *
fedoraproject fedora 8
apple mac_os_x *
canonical ubuntu_linux 7.10
canonical ubuntu_linux 7.04
canonical ubuntu_linux 6.06
CVE-2008-2050 HIGH

Stack-based buffer overflow in the FastCGI SAPI (fastcgi.c) in PHP before 5.2.6 has unknown impact and attack vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.0.0
php php 5.0.3
php php 5.1.6
php php 5.2.1
php php 5.2.2
php php 5.0.1
php php *
php php 5.2.4
php php 5.1.0
php php 5.1.3
php php 5.1.5
php php 5.0.4
php php 5.2.3
php php 5.0.5
php php 5.1.1
php php 5.2.0
php php 5.1.4
php php 5.0.2
php php 5.1.2
CVE-2008-2108 HIGH

The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-331,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 8.04
fedoraproject fedora 9
fedoraproject fedora 8
debian debian_linux 4.0
canonical ubuntu_linux 7.10
canonical ubuntu_linux 7.04
canonical ubuntu_linux 6.06
CVE-2009-2687 MEDIUM

The exif_read_data function in the Exif module in PHP before 5.2.10 allows remote attackers to cause a denial of service (crash) via a malformed JPEG image with invalid offset fields, a different issue than CVE-2005-3353.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php *
debian debian_linux 4.0
debian debian_linux 5.0
debian debian_linux 6.0
CVE-2009-3546 HIGH

The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.2.11
libgd gd_graphics_library 2.0.34
libgd gd_graphics_library 2.0.36
libgd gd_graphics_library 2.0.33
php php 5.3.0
libgd gd_graphics_library 2.0.35
CVE-2009-3559 HIGH

main/streams/plain_wrapper.c in PHP 5.3.x before 5.3.1 does not recognize the safe_mode_include_dir directive, which allows context-dependent attackers to have an unknown impact by triggering the failure of PHP scripts that perform include or require operations, as demonstrated by a script that attempts to perform a require_once on a file in a standard library directory. NOTE: a reliable third party reports that this is not a vulnerability, because it results in a more restrictive security policy.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
php php 5.3.0
CVE-2009-4017 MEDIUM

PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
php php *
debian debian_linux 4.0
debian debian_linux 5.0
php php 5.3.0
apple mac_os_x 10.6.3
debian debian_linux 6.0
CVE-2009-5016 MEDIUM

Integer overflow in the xml_utf8_decode function in ext/xml/xml.c in PHP before 5.2.11 makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string that uses overlong UTF-8 encoding, a different vulnerability than CVE-2010-3870.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php *
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.0.3
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 3.0.8
php php 4.4.3
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 3.0.13
php php 5.1.5
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 5.2.0
php php 4.3.1
php php 4.4.5
php php 4.4.8
php php 4.0.6
php php 3.0.11
php php 4.3.8
CVE-2010-0397 MEDIUM

The xmlrpc extension in PHP 5.3.1 does not properly handle a missing methodName element in the first argument to the xmlrpc_decode_request function, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) and possibly have unspecified other impact via a crafted argument.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.3.1
CVE-2010-1128 MEDIUM

The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy, which makes it easier for context-dependent attackers to guess values that were intended to be unpredictable, as demonstrated by session cookies generated by using the uniqid function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.2.10
php php 5.2.2
php php *
php php 5.2.4
php php 5.2.8
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.0
php php 5.2.7
php php 5.2.5
php php 5.2.6
CVE-2010-1129 HIGH

The safe_mode implementation in PHP before 5.2.13 does not properly handle directory pathnames that lack a trailing / (slash) character, which allows context-dependent attackers to bypass intended access restrictions via vectors related to use of the tempnam function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.2.10
php php 5.2.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.0
php php 5.2.7
php php 5.2.5
php php 5.2.6
CVE-2010-1130 MEDIUM

session.c in the session extension in PHP before 5.2.13, and 5.3.1, does not properly interpret ; (semicolon) characters in the argument to the session_save_path function, which allows context-dependent attackers to bypass open_basedir and safe_mode restrictions via an argument that contains multiple ; characters in conjunction with a .. (dot dot).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
php php 5.0.0
php php 5.2.2
php php *
php php 5.2.8
php php 5.1.0
php php 5.1.5
php php 5.2.11
php php 5.2.3
php php 5.2.13
php php 5.1.4
php php 5.0.2
php php 5.1.2
php php 5.2.7
php php 5.2.5
php php 5.0.3
php php 5.1.6
php php 5.2.1
php php 5.2.10
php php 5.0.1
php php 5.2.4
php php 5.1.3
php php 5.0.4
php php 5.2.9
php php 5.0.5
php php 5.1.1
php php 5.2.0
php php 5.3.1
php php 5.2.6
CVE-2010-1860 MEDIUM

The html_entity_decode function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a userspace interruption of an internal call, related to the call time pass by reference feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-1861 MEDIUM

The sysvshm extension for PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to write to arbitrary memory addresses by using an object's __sleep function to interrupt an internal call to the shm_put_var function, which triggers access of a freed resource.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-1862 MEDIUM

The chunk_split function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-1864 MEDIUM

The addcslashes function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-1866 HIGH

The dechunk filter in PHP 5.3 through 5.3.2, when decoding an HTTP chunked encoding stream, allows context-dependent attackers to cause a denial of service (crash) and possibly trigger memory corruption via a negative chunk size, which bypasses a signed comparison, related to an integer overflow in the chunk size decoder.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php *
suse linux_enterprise 10.0
suse linux_enterprise 11.0
opensuse opensuse 11.3
opensuse opensuse 11.1
opensuse opensuse 11.2
CVE-2010-1868 HIGH

The (1) sqlite_single_query and (2) sqlite_array_query functions in ext/sqlite/sqlite.c in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to execute arbitrary code by calling these functions with an empty SQL query, which triggers access of uninitialized memory.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-1914 MEDIUM

The Zend Engine in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information by interrupting the handler for the (1) ZEND_BW_XOR opcode (shift_left_function), (2) ZEND_SL opcode (bitwise_xor_function), or (3) ZEND_SR opcode (shift_right_function), related to the convert_to_long_base function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.0
php php 5.2.7
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-1915 MEDIUM

The preg_quote function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature, modification of ZVALs whose values are not updated in the associated local variables, and access of previously-freed memory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.0
php php 5.2.7
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-1917 MEDIUM

Stack consumption vulnerability in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to cause a denial of service (PHP crash) via a crafted first argument to the fnmatch function, as demonstrated using a long string.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-2093 MEDIUM

Use-after-free vulnerability in the request shutdown functionality in PHP 5.2 before 5.2.13 and 5.3 before 5.3.2 allows context-dependent attackers to cause a denial of service (crash) via a stream context structure that is freed before destruction occurs.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.0
php php 5.2.7
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-2094 MEDIUM

Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the (1) phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5) phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers errors in the php_stream_wrapper_log_error function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-134,

Products Affected

Vendor Product Version
php php 5.3.0
php php 5.3.1
CVE-2010-2097 MEDIUM

The (1) iconv_mime_decode, (2) iconv_substr, and (3) iconv_mime_encode functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.7
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-2100 MEDIUM

The (1) htmlentities, (2) htmlspecialchars, (3) str_getcsv, (4) http_build_query, (5) strpbrk, and (6) strtr functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.7
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-2101 MEDIUM

The (1) strip_tags, (2) setcookie, (3) strtok, (4) wordwrap, (5) str_word_count, and (6) str_pad functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.7
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-2190 MEDIUM

The (1) trim, (2) ltrim, (3) rtrim, and (4) substr_replace functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.7
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-2191 MEDIUM

The (1) parse_str, (2) preg_match, (3) unpack, and (4) pack functions; the (5) ZEND_FETCH_RW, (6) ZEND_CONCAT, and (7) ZEND_ASSIGN_CONCAT opcodes; and the (8) ArrayObject::uasort method in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a userspace interruption of an internal function or handler. NOTE: vectors 2 through 4 are related to the call time pass by reference feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.7
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-2225 HIGH

Use-after-free vulnerability in the SplObjectStorage unserializer in PHP 5.2.x and 5.3.x through 5.3.2 allows remote attackers to execute arbitrary code or obtain sensitive information via serialized data, related to the PHP unserialize function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.7
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-2484 MEDIUM

The strrchr function in PHP 5.2 before 5.2.14 allows context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a userspace interruption of an internal function or handler.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.2.10
php php 5.2.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.5
php php 5.2.6
CVE-2010-2531 MEDIUM

The var_export function in PHP 5.2 before 5.2.14 and 5.3 before 5.3.3 flushes the output buffer to the user when certain fatal errors occur, even if display_errors is off, which allows remote attackers to obtain sensitive information by causing the application to exceed limits for memory, execution time, or recursion.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php *
debian debian_linux 5.0
debian debian_linux 6.0
CVE-2010-2950 MEDIUM

Format string vulnerability in stream.c in the phar extension in PHP 5.3.x through 5.3.3 allows context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the phar_stream_flush function, leading to errors in the php_stream_wrapper_log_error function. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2094.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-134,

Products Affected

Vendor Product Version
php php 5.3.0
php php 5.3.3
php php 5.3.1
php php 5.3.2
CVE-2010-3062 MEDIUM

mysqlnd_wireprotocol.c in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows remote attackers to (1) read sensitive memory via a modified length value, which is not properly handled by the php_mysqlnd_ok_read function; or (2) trigger a heap-based buffer overflow via a modified length value, which is not properly handled by the php_mysqlnd_rset_header_read function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 5.3.0
php php 5.3.1
php php 5.3.2
CVE-2010-3063 MEDIUM

The php_mysqlnd_read_error_from_line function in the Mysqlnd extension in PHP 5.3 through 5.3.2 does not properly calculate a buffer length, which allows context-dependent attackers to trigger a heap-based buffer overflow via crafted inputs that cause a negative length value to be used.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.3.0
php php 5.3.1
php php 5.3.2
CVE-2010-3064 MEDIUM

Stack-based buffer overflow in the php_mysqlnd_auth_write function in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) username or (2) database name argument to the (a) mysql_connect or (b) mysqli_connect function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.3.0
php php 5.3.1
php php 5.3.2
CVE-2010-3065 MEDIUM

The default session serializer in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker, which allows context-dependent attackers to modify arbitrary session variables via a crafted session variable name.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.2
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.7
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-3436 MEDIUM

fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions via vectors related to the length of a filename.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 8.04
canonical ubuntu_linux 10.10
canonical ubuntu_linux 9.10
canonical ubuntu_linux 10.04
canonical ubuntu_linux 6.06
CVE-2010-3709 MEDIUM

The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ZIP archive.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 8.04
canonical ubuntu_linux 10.10
canonical ubuntu_linux 9.10
canonical ubuntu_linux 10.04
canonical ubuntu_linux 6.06
CVE-2010-3710 MEDIUM

Stack consumption vulnerability in the filter_var function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows remote attackers to cause a denial of service (memory consumption and application crash) via a long e-mail address string.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.14
php php 5.2.2
php php 5.3.3
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.0
php php 5.2.7
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-3870 MEDIUM

The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 8.04
canonical ubuntu_linux 10.10
canonical ubuntu_linux 9.10
canonical ubuntu_linux 10.04
canonical ubuntu_linux 6.06
CVE-2010-4150 MEDIUM

Double free vulnerability in the imap_do_open function in the IMAP extension (ext/imap/php_imap.c) in PHP 5.2 before 5.2.15 and 5.3 before 5.3.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.14
php php 5.2.2
php php 5.3.3
php php 5.3.2
php php 5.2.4
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.13
php php 5.2.0
php php 5.3.1
CVE-2010-4409 MEDIUM

Integer overflow in the NumberFormatter::getSymbol (aka numfmt_get_symbol) function in PHP 5.3.3 and earlier allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 5.3.2
php php *
php php 3.0.9
php php 3.0.2
php php 2.0
php php 4.0.2
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 3.0.8
php php 4.4.3
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.3.0
php php 3.0.13
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 4.0.3
php php 4.2.1
php php 4.3.1
php php 4.4.5
php php 4.4.8
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
CVE-2010-4645 MEDIUM

strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and 5.3 before 5.3.5, and other products, allows context-dependent attackers to cause a denial of service (infinite loop) via a certain floating-point value in scientific notation, which is not properly handled in x87 FPU registers, as demonstrated using 2.2250738585072011e-308.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.14
php php 5.2.2
php php 5.3.4
php php 5.3.3
php php 5.3.2
php php 5.2.4
php php 5.2.8
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.9
php php 5.2.13
php php 5.2.15
php php 5.2.0
php php 5.2.16
php php 5.2.7
php php 5.2.5
php php 5.3.1
php php 5.2.6
CVE-2010-4697 MEDIUM

Use-after-free vulnerability in the Zend engine in PHP before 5.2.15 and 5.3.x before 5.3.4 might allow context-dependent attackers to cause a denial of service (heap memory corruption) or have unspecified other impact via vectors related to use of __set, __get, __isset, and __unset methods on objects accessed by a reference.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 5.3.2
php php *
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.3
php php 2.0
php php 5.2.13
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.0.3
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 5.2.10
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 4.4.3
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 5.2.6
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 5.3.3
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 5.2.0
php php 4.3.1
php php 4.4.5
php php 4.4.8
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
CVE-2010-4698 MEDIUM

Stack-based buffer overflow in the GD extension in PHP before 5.2.15 and 5.3.x before 5.3.4 allows context-dependent attackers to cause a denial of service (application crash) via a large number of anti-aliasing steps in an argument to the imagepstext function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.2.1
php php 5.3.0
php php 5.2.10
php php 5.2.14
php php 5.2.2
php php 5.3.3
php php 5.3.2
php php 5.2.4
php php 5.2.12
php php 5.2.11
php php 5.2.3
php php 5.2.13
php php 5.2.0
php php 5.3.1
CVE-2010-4699 MEDIUM

The iconv_mime_decode_headers function in the Iconv extension in PHP before 5.3.4 does not properly handle encodings that are unrecognized by the iconv and mbstring (aka Multibyte String) implementations, which allows remote attackers to trigger an incomplete output array, and possibly bypass spam detection or have unspecified other impact, via a crafted Subject header in an e-mail message, as demonstrated by the ks_c_5601-1987 character set.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 5.3.2
php php *
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.3
php php 2.0
php php 5.2.13
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 5.2.10
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 4.4.3
php php 5.2.9
php php 5.2.15
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 5.2.6
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 5.2.0
php php 4.3.1
php php 4.4.5
php php 5.2.17
php php 4.4.8
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
CVE-2010-4700 MEDIUM

The set_magic_quotes_runtime function in PHP 5.3.2 and 5.3.3, when the MySQLi extension is used, does not properly interact with use of the mysqli_fetch_assoc function, which might make it easier for context-dependent attackers to conduct SQL injection attacks via crafted input that had been properly handled in earlier PHP versions.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
php php 5.3.3
php php 5.3.2
CVE-2011-0420 MEDIUM

The grapheme_extract function in the Internationalization extension (Intl) for ICU for PHP 5.3.5 allows context-dependent attackers to cause a denial of service (crash) via an invalid size argument, which triggers a NULL pointer dereference.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.3.5
CVE-2011-0421 MEDIUM

The _zip_name_locate function in zip_name_locate.c in the Zip extension in PHP before 5.3.6 does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow context-dependent attackers to cause a denial of service (NULL pointer dereference) via an empty ZIP archive that is processed with a (1) locateName or (2) statName operation.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.13
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 4.4.3
php php 5.2.15
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.1.0
php php 5.0.2
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.3.6
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 3.0.18
php php 5.3.4
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2011-0441 MEDIUM

The Debian GNU/Linux /etc/cron.d/php5 cron job for PHP 5.3.5 allows local users to delete arbitrary files via a symlink attack on a directory under /var/lib/php5/.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-59,

Products Affected

Vendor Product Version
php php 5.3.5
CVE-2011-0708 MEDIUM

exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.13
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 4.4.3
php php 5.2.15
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.1.0
php php 5.0.2
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.3.6
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 3.0.18
php php 5.3.4
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2011-0752 MEDIUM

The extract function in PHP before 5.2.15 does not prevent use of the EXTR_OVERWRITE parameter to overwrite (1) the GLOBALS superglobal array and (2) the this variable, which allows context-dependent attackers to bypass intended access restrictions by modifying data structures that were not intended to depend on external input, a related issue to CVE-2005-2691 and CVE-2006-3758.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php *
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.3
php php 2.0
php php 5.2.13
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.0.3
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 5.2.10
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 4.4.3
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 5.2.6
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 5.2.0
php php 4.3.1
php php 4.4.5
php php 4.4.8
php php 4.0.6
php php 3.0.11
php php 4.3.8
CVE-2011-0753 MEDIUM

Race condition in the PCNTL extension in PHP before 5.3.4, when a user-defined signal handler exists, might allow context-dependent attackers to cause a denial of service (memory corruption) via a large number of concurrent signals.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-362,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 5.3.2
php php *
php php 3.0.9
php php 3.0.2
php php 2.0
php php 4.0.2
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 3.0.8
php php 4.4.3
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.3.0
php php 3.0.13
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 4.0.3
php php 4.2.1
php php 4.3.1
php php 4.4.5
php php 4.4.8
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
CVE-2011-0754 MEDIUM

The SplFileInfo::getType function in the Standard PHP Library (SPL) extension in PHP before 5.3.4 on Windows does not properly detect symbolic links, which might make it easier for local users to conduct symlink attacks by leveraging cross-platform differences in the stat structure, related to lack of a FILE_ATTRIBUTE_REPARSE_POINT check.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-59,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 5.3.2
php php *
php php 3.0.9
php php 3.0.2
php php 2.0
php php 4.0.2
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 3.0.8
php php 4.4.3
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.3.0
php php 3.0.13
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 4.0.3
php php 4.2.1
php php 4.3.1
php php 4.4.5
php php 4.4.8
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
CVE-2011-0755 MEDIUM

Integer overflow in the mt_rand function in PHP before 5.3.4 might make it easier for context-dependent attackers to predict the return values by leveraging a script's use of a large max parameter, as demonstrated by a value that exceeds mt_getrandmax.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 5.3.2
php php *
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.3
php php 2.0
php php 5.2.13
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 5.2.10
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 4.4.3
php php 5.2.9
php php 5.2.15
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 5.2.6
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 5.2.0
php php 4.3.1
php php 4.4.5
php php 5.2.17
php php 4.4.8
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
CVE-2011-1072 LOW

The installer in PEAR before 1.9.2 allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories, a different vulnerability than CVE-2007-2519.

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
php pear 0.2.2
php pear 1.3.6
php pear *
php pear 1.3
php pear 0.90
php pear 1.4.0
php pear 1.6.1
php pear 0.10
php pear 1.3.3.1
php pear 1.4.2
php pear 1.4.1
php pear 1.2
php pear 0.9
php pear 1.5.0
php pear 1.3.1
php pear 1.3.3
php pear 1.0
php pear 1.5.1
php pear 1.1
php pear 1.3.4
php pear 1.2.1
php pear 0.11
php pear 1.3.5
php pear 1.0.1
CVE-2011-1092 HIGH

Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (crash) and possibly read sensitive memory via a large third argument to the shmop_read function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.13
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 4.4.3
php php 5.2.15
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.1.0
php php 5.0.2
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.3.6
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 3.0.18
php php 5.3.4
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2011-1144 LOW

The installer in PEAR 1.9.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1072.

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
php pear 0.2.2
php pear 1.3.6
php pear *
php pear 1.3
php pear 0.90
php pear 1.4.0
php pear 1.6.1
php pear 0.10
php pear 1.3.3.1
php pear 1.4.2
php pear 1.4.1
php pear 1.2
php pear 0.9
php pear 1.5.0
php pear 1.3.1
php pear 1.3.3
php pear 1.0
php pear 1.5.1
php pear 1.1
php pear 1.3.4
php pear 1.2.1
php pear 0.11
php pear 1.9.1
php pear 1.3.5
php pear 1.0.1
CVE-2011-1148 HIGH

Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 5.3.2
php php *
php php 3.0.9
php php 3.0.2
php php 2.0
php php 4.0.2
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 3.0.8
php php 4.4.3
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.3.0
php php 5.3.4
php php 3.0.13
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 3.0.3
php php 3.0.7
php php 5.3.5
php php 4.3.10
php php 5.3.3
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 4.0.3
php php 4.2.1
php php 4.3.1
php php 4.4.5
php php 4.4.8
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
CVE-2011-1153 HIGH

Multiple format string vulnerabilities in phar_object.c in the phar extension in PHP 5.3.5 and earlier allow context-dependent attackers to obtain sensitive information from process memory, cause a denial of service (memory corruption), or possibly execute arbitrary code via format string specifiers in an argument to a class method, leading to an incorrect zend_throw_exception_ex call.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-134,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 5.3.2
php php *
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.3
php php 2.0
php php 5.2.13
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.0.3
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 5.2.10
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 4.4.3
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 5.2.6
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 5.3.4
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 4.3.10
php php 5.3.3
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 5.2.0
php php 4.3.1
php php 4.4.5
php php 4.4.8
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
CVE-2011-1464 MEDIUM

Buffer overflow in the strval function in PHP before 5.3.6, when the precision configuration option has a large value, might allow context-dependent attackers to cause a denial of service (application crash) via a small numerical value in the argument.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.13
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 4.4.3
php php 5.2.15
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.1.0
php php 5.0.2
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.3.6
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 3.0.18
php php 5.3.4
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2011-1466 MEDIUM

Integer overflow in the SdnToJulian function in the Calendar extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a large integer in the first argument to the cal_from_jd function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.13
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 4.4.3
php php 5.2.15
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.1.0
php php 5.0.2
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.3.6
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 3.0.18
php php 5.3.4
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2011-1467 MEDIUM

Unspecified vulnerability in the NumberFormatter::setSymbol (aka numfmt_set_symbol) function in the Intl extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument, a related issue to CVE-2010-4409.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.13
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 4.4.3
php php 5.2.15
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.1.0
php php 5.0.2
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.3.6
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 3.0.18
php php 5.3.4
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2011-1468 MEDIUM

Multiple memory leaks in the OpenSSL extension in PHP before 5.3.6 might allow remote attackers to cause a denial of service (memory consumption) via (1) plaintext data to the openssl_encrypt function or (2) ciphertext data to the openssl_decrypt function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.13
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 4.4.3
php php 5.2.15
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.1.0
php php 5.0.2
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.3.6
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 3.0.18
php php 5.3.4
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2011-1469 MEDIUM

Unspecified vulnerability in the Streams component in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) by accessing an ftp:// URL during use of an HTTP proxy with the FTP wrapper.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.13
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 4.4.3
php php 5.2.15
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.1.0
php php 5.0.2
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.3.6
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 3.0.18
php php 5.3.4
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2011-1470 MEDIUM

The Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a ziparchive stream that is not properly handled by the stream_get_contents function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.13
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 4.4.3
php php 5.2.15
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.1.0
php php 5.0.2
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.3.6
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 3.0.18
php php 5.3.4
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2011-1471 MEDIUM

Integer signedness error in zip_stream.c in the Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (CPU consumption) via a malformed archive file that triggers errors in zip_fread function calls.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php *
CVE-2011-1657 MEDIUM

The (1) ZipArchive::addGlob and (2) ZipArchive::addPattern functions in ext/zip/php_zip.c in PHP 5.3.6 allow context-dependent attackers to cause a denial of service (application crash) via certain flags arguments, as demonstrated by (a) GLOB_ALTDIRFUNC and (b) GLOB_APPEND.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 5.3.6
CVE-2011-1938 HIGH

Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.3.4
php php 5.3.5
php php 5.3.3
php php 5.3.6
CVE-2011-2202 MEDIUM

The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 5.3.2
php php *
php php 3.0.9
php php 3.0.2
php php 2.0
php php 4.0.2
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 3.0.8
php php 4.4.3
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.3.0
php php 5.3.4
php php 3.0.13
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 4.0.1
php php 4.3.7
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 3.0.3
php php 3.0.7
php php 5.3.5
php php 4.3.10
php php 5.3.3
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 4.0.3
php php 4.2.1
php php 4.3.1
php php 4.4.5
php php 4.4.8
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
CVE-2011-2483 MEDIUM

crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.13
solar_designer crypt_blowfish 0.4.6
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 4.4.3
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
solar_designer crypt_blowfish 0.2
php php 5.3.0
php php 5.2.2
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.1.0
php php 5.0.2
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.3.6
php php 5.3.5
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
solar_designer crypt_blowfish 0.4
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
solar_designer crypt_blowfish 0.4.5
php php 4.0.2
solar_designer crypt_blowfish 0.4.2
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
solar_designer crypt_blowfish 0.3
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
solar_designer crypt_blowfish 0.4.4
php php 3.0.18
postgresql postgresql *
php php 5.3.4
php php 4.3.11
php php 4.4.0
solar_designer crypt_blowfish *
solar_designer crypt_blowfish 0.4.1
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 4.3.1
php php 4.4.8
solar_designer crypt_blowfish 0.4.3
CVE-2011-3182 MEDIUM

PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 5.3.2
php php *
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.3
php php 2.0
php php 5.2.13
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.0.3
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 5.2.10
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 4.4.3
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 5.2.6
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 5.3.4
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.5
php php 4.3.10
php php 5.3.3
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 5.2.0
php php 4.3.1
php php 4.4.5
php php 4.4.8
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
CVE-2011-3189 MEDIUM

The crypt function in PHP 5.3.7, when the MD5 hash type is used, returns the value of the salt argument instead of the hashed string, which might allow remote attackers to bypass authentication via an arbitrary password, a different vulnerability than CVE-2011-2483.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
php php 5.3.7
CVE-2011-3267 MEDIUM

PHP before 5.3.7 does not properly implement the error_log function, which allows context-dependent attackers to cause a denial of service (application crash) via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 5.3.2
php php *
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.3
php php 2.0
php php 5.2.13
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.0.3
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 5.2.10
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 4.4.3
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 5.2.6
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 5.3.4
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.5
php php 4.3.10
php php 5.3.3
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 5.2.0
php php 4.3.1
php php 4.4.5
php php 4.4.8
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
CVE-2011-3268 HIGH

Buffer overflow in the crypt function in PHP before 5.3.7 allows context-dependent attackers to have an unspecified impact via a long salt argument, a different vulnerability than CVE-2011-2483.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.1.2
php php 4.2.2
php php 5.3.2
php php *
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.2.3
php php 2.0
php php 5.2.13
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.0.3
php php 4.0.0
php php 2.0b10
php php 4.3.2
php php 5.2.10
php php 3.0.14
php php 4.4.6
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 5.0.1
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 4.4.3
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 3.0.4
php php 4.3.9
php php 5.2.6
php php 3.0.1
php php 3.0.18
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 5.3.4
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 4.3.11
php php 4.4.0
php php 4.1.0
php php 5.0.2
php php 4.0.1
php php 4.3.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 4.0
php php 3.0.5
php php 4.2.0
php php 4.3.6
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.5
php php 4.3.10
php php 5.3.3
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 5.0.5
php php 5.2.0
php php 4.3.1
php php 4.4.5
php php 4.4.8
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
CVE-2011-3379 HIGH

The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the __autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
php php 5.3.8
php php 5.3.7
CVE-2011-4153 MEDIUM

PHP 5.3.8 does not always check the return value of the zend_strndup function, which might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that performs strndup operations on untrusted string data, as demonstrated by the define function in zend_builtin_functions.c, and unspecified functions in ext/soap/php_sdl.c, ext/standard/syslog.c, ext/standard/browscap.c, ext/oci8/oci8.c, ext/com_dotnet/com_typeinfo.c, and main/php_open_temporary_file.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.3.8
CVE-2011-4566 MEDIUM

Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP 5.4.0beta2 on 32-bit platforms allows remote attackers to read the contents of arbitrary memory locations or cause a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different vulnerability than CVE-2011-0708.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 11.10
debian debian_linux 7.0
canonical ubuntu_linux 8.04
php php 5.4.0
canonical ubuntu_linux 11.04
debian debian_linux 5.0
canonical ubuntu_linux 10.10
canonical ubuntu_linux 10.04
debian debian_linux 6.0
CVE-2011-4718 MEDIUM

Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
php php 5.3.26
php php 5.2.14
php php 5.3.12
php php 5.4.13
php php 5.3.25
php php 5.4.5
php php 5.4.16
php php 5.3.2
php php 5.3.16
php php *
php php 5.1.0
php php 5.4.0
php php 5.2.3
php php 5.2.13
php php 5.1.4
php php 5.1.2
php php 5.2.16
php php 5.3.23
php php 5.4.3
php php 5.0.3
php php 5.3.21
php php 5.2.10
php php 5.0.1
php php 5.3.17
php php 5.2.4
php php 5.3.20
php php 5.4.12
php php 5.2.9
php php 5.2.15
php php 5.1.1
php php 5.4.2
php php 5.3.6
php php 5.2.6
php php 5.0.0
php php 5.5.0
php php 5.3.15
php php 5.3.0
php php 5.2.2
php php 5.3.4
php php 5.4.15
php php 5.3.7
php php 5.3.11
php php 5.3.13
php php 5.2.8
php php 5.2.12
php php 5.4.6
php php 5.4.11
php php 5.1.5
php php 5.2.11
php php 5.3.8
php php 5.0.2
php php 5.3.9
php php 5.2.7
php php 5.2.5
php php 5.4.8
php php 5.1.6
php php 5.2.1
php php 5.3.18
php php 5.3.27
php php 5.3.10
php php 5.3.5
php php 5.3.22
php php 5.4.14
php php 5.3.3
php php 5.4.10
php php 5.4.9
php php 5.1.3
php php 5.0.4
php php 5.3.24
php php 5.3.14
php php 5.3.19
php php 5.0.5
php php 5.2.0
php php 5.4.1
php php 5.2.17
php php 5.3.1
php php 5.4.4
php php 5.4.7
CVE-2011-4885 MEDIUM

PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.0.0
php php 5.3.0
php php 5.2.14
php php 5.2.2
php php 5.3.4
php php 5.3.7
php php 5.3.2
php php *
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 5.2.3
php php 5.1.4
php php 5.0.2
php php 5.1.2
php php 5.2.16
php php 5.2.7
php php 5.2.5
php php 5.0.3
php php 5.1.6
php php 5.2.1
php php 5.2.10
php php 5.3.5
php php 5.0.1
php php 5.3.3
php php 5.2.4
php php 5.1.3
php php 5.0.4
php php 5.2.9
php php 5.2.15
php php 5.0.5
php php 5.1.1
php php 5.2.0
php php 5.2.17
php php 5.3.1
php php 5.3.6
php php 5.2.6
CVE-2012-0057 MEDIUM

PHP before 5.3.9 has improper libxslt security settings, which allows remote attackers to create arbitrary files via a crafted XSLT stylesheet that uses the libxslt output extension.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
php php 5.0.0
php php 5.3.0
php php 5.2.14
php php 5.2.2
php php 5.3.4
php php 5.3.7
php php 5.3.2
php php *
php php 5.2.8
php php 5.2.12
php php 5.1.0
php php 5.1.5
php php 5.2.11
php php 5.2.3
php php 5.2.13
php php 5.1.4
php php 5.0.2
php php 5.1.2
php php 5.2.16
php php 5.2.7
php php 5.2.5
php php 5.0.3
php php 5.1.6
php php 5.2.1
php php 5.2.10
php php 5.3.5
php php 5.0.1
php php 5.3.3
php php 5.2.4
php php 5.1.3
php php 5.0.4
php php 5.2.9
php php 5.2.15
php php 5.0.5
php php 5.1.1
php php 5.2.0
php php 5.2.17
php php 5.3.1
php php 5.3.6
php php 5.2.6
CVE-2012-0781 MEDIUM

The tidy_diagnose function in PHP 5.3.8 might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that attempts to perform Tidy::diagnose operations on invalid objects, a different vulnerability than CVE-2011-4153.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 5.3.8
CVE-2012-0788 MEDIUM

The PDORow implementation in PHP before 5.3.9 does not properly interact with the session feature, which allows remote attackers to cause a denial of service (application crash) via a crafted application that uses a PDO driver for a fetch and then calls the session_start function, as demonstrated by a crash of the Apache HTTP Server.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.0.0
php php 5.3.0
php php 5.2.14
php php 5.2.2
php php 5.3.4
php php 5.3.7
php php 5.3.2
php php *
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 5.2.3
php php 5.1.4
php php 5.0.2
php php 5.1.2
php php 5.2.16
php php 5.2.7
php php 5.2.5
php php 5.0.3
php php 5.1.6
php php 5.2.1
php php 5.2.10
php php 5.3.5
php php 5.0.1
php php 5.3.3
php php 5.2.4
php php 5.1.3
php php 5.0.4
php php 5.2.9
php php 5.2.15
php php 5.0.5
php php 5.1.1
php php 5.2.0
php php 5.2.17
php php 5.3.1
php php 5.3.6
php php 5.2.6
CVE-2012-0789 MEDIUM

Memory leak in the timezone functionality in PHP before 5.3.9 allows remote attackers to cause a denial of service (memory consumption) by triggering many strtotime function calls, which are not properly handled by the php_date_parse_tzfile cache.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 5.0.0
php php 5.3.0
php php 5.2.14
php php 5.2.2
php php 5.3.4
php php 5.3.7
php php 5.3.2
php php *
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 5.2.3
php php 5.1.4
php php 5.0.2
php php 5.1.2
php php 5.2.16
php php 5.2.7
php php 5.2.5
php php 5.0.3
php php 5.1.6
php php 5.2.1
php php 5.2.10
php php 5.3.5
php php 5.0.1
php php 5.3.3
php php 5.2.4
php php 5.1.3
php php 5.0.4
php php 5.2.9
php php 5.2.15
php php 5.0.5
php php 5.1.1
php php 5.2.0
php php 5.2.17
php php 5.3.1
php php 5.3.6
php php 5.2.6
CVE-2012-0830 HIGH

The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 5.3.9
CVE-2012-0831 MEDIUM

PHP before 5.3.10 does not properly perform a temporary change to the magic_quotes_gpc directive during the importing of environment variables, which makes it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php *
CVE-2012-1172 MEDIUM

The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.0.0
php php 5.3.0
php php 5.2.14
php php 5.2.2
php php 5.3.4
php php 5.3.7
php php 5.3.2
php php *
php php 5.2.8
php php 5.2.12
php php 5.1.0
php php 5.1.5
php php 5.2.11
php php 5.2.3
php php 5.2.13
php php 5.3.8
php php 5.1.4
php php 5.0.2
php php 5.1.2
php php 5.2.16
php php 5.3.9
php php 5.2.7
php php 5.2.5
php php 5.0.3
php php 5.1.6
php php 5.2.1
php php 5.2.10
php php 5.3.5
php php 5.0.1
php php 5.3.3
php php 5.2.4
php php 5.1.3
php php 5.0.4
php php 5.2.9
php php 5.2.15
php php 5.0.5
php php 5.1.1
php php 5.2.0
php php 5.2.17
php php 5.3.1
php php 5.3.6
php php 5.2.6
CVE-2012-1823 HIGH

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,CWE-77,

Products Affected

Vendor Product Version
opensuse opensuse 12.1
php php 5.2.14
redhat enterprise_linux_eus 6.1
php php 5.3.2
hp hp-ux b.11.23
php php *
redhat enterprise_linux_eus 5.6
php php 5.1.0
php php 5.4.0
fedoraproject fedora 40
php php 5.2.3
php php 5.2.13
php php 5.1.4
php php 5.1.2
php php 5.2.16
suse linux_enterprise_software_development_kit 10
suse linux_enterprise_server 10
php php 5.0.3
suse linux_enterprise_server 11
fedoraproject fedora 39
php php 5.2.10
redhat enterprise_linux_workstation 6.0
redhat application_stack 2.0
php php 5.0.1
php php 5.2.4
redhat enterprise_linux_desktop 6.0
php php 5.2.9
php php 5.2.15
php php 5.1.1
suse linux_enterprise_software_development_kit 11
redhat enterprise_linux_server 6.0
redhat enterprise_linux_server_aus 5.6
php php 5.3.6
debian debian_linux 6.0
php php 5.2.6
redhat storage 2.0
apple mac_os_x *
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 5.3.4
php php 5.3.7
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 5.3.8
redhat gluster_storage_server_for_on-premise 2.0
php php 5.0.2
redhat enterprise_linux_server 5.0
redhat enterprise_linux_workstation 5.0
php php 5.3.9
php php 5.2.7
php php 5.2.5
php php 5.1.6
php php 5.2.1
php php 5.3.10
php php 5.3.5
php php 5.3.3
redhat enterprise_linux_server_aus 5.3
hp hp-ux b.11.31
php php 5.1.3
redhat storage_for_public_cloud 2.0
redhat enterprise_linux_eus 6.2
php php 5.0.4
php php 5.0.5
php php 5.2.0
php php 5.4.1
php php 5.2.17
opensuse opensuse 11.4
php php 5.3.1
CVE-2012-2143 MEDIUM

The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
freebsd freebsd 2.2.8
freebsd freebsd 2.2.5
freebsd freebsd 2.2
freebsd freebsd 4.8
freebsd freebsd 1.1
freebsd freebsd 4.4
freebsd freebsd 3.2
freebsd freebsd 7.2
freebsd freebsd 3.1
php php *
freebsd freebsd *
freebsd freebsd 4.10
postgresql postgresql 9.0
freebsd freebsd 6.1
freebsd freebsd 7.1
postgresql postgresql 9.1
freebsd freebsd 4.3
postgresql postgresql 8.3
freebsd freebsd 2.2.6
freebsd freebsd 3.4
freebsd freebsd 4.6.2
freebsd freebsd 1.1.5
freebsd freebsd 4.2
freebsd freebsd 7.0
freebsd freebsd 1.1.5.1
freebsd freebsd 4.11
freebsd freebsd 1.0
freebsd freebsd 5.0
debian debian_linux 6.0
freebsd freebsd 2.1.6
freebsd freebsd 4.0
freebsd freebsd 5.2.1
postgresql postgresql *
freebsd freebsd 8.1
freebsd freebsd 5.5
freebsd freebsd 3.3
postgresql postgresql 8.4
freebsd freebsd 7.3
freebsd freebsd 4.6
freebsd freebsd 2.2.1
freebsd freebsd 8.2
freebsd freebsd 8.0
freebsd freebsd 4.7
freebsd freebsd 6.3
freebsd freebsd 2.1
freebsd freebsd 5.4
freebsd freebsd 2.1.7
freebsd freebsd 7.4
freebsd freebsd 3.0
freebsd freebsd 2.2.7
freebsd freebsd 4.5
freebsd freebsd 4.9
freebsd freebsd 5.1
freebsd freebsd 6.2
freebsd freebsd 2.2.2
freebsd freebsd 6.4
freebsd freebsd 5.2
freebsd freebsd 2.0
freebsd freebsd 8.3
freebsd freebsd 4.1
freebsd freebsd 3.5
freebsd freebsd 6.0
freebsd freebsd 2.1.5
freebsd freebsd 4.1.1
freebsd freebsd 2.0.5
freebsd freebsd 5.3
CVE-2012-2311 HIGH

sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.4.0
php php 5.2.13
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 4.4.3
php php 5.2.15
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 5.3.7
php php 5.3.11
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 5.3.8
php php 4.1.0
php php 5.0.2
php php 5.3.9
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.3.6
php php 5.3.10
php php 5.3.5
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 5.4.1
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 5.3.6
php php 3.0.18
php php 5.3.4
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2012-2329 MEDIUM

Buffer overflow in the apache_request_headers function in sapi/cgi/cgi_main.c in PHP 5.4.x before 5.4.3 allows remote attackers to cause a denial of service (application crash) via a long string in the header of an HTTP request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.4.0
php php 5.4.1
php php 5.4.2
CVE-2012-2335 HIGH

php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
php php 5.4.2
php php 5.3.12
CVE-2012-2336 MEDIUM

sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.4.0
php php 5.2.13
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 4.4.3
php php 5.2.15
php php 5.4.2
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 5.3.7
php php 5.3.11
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 5.3.8
php php 4.1.0
php php 5.0.2
php php 5.3.9
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.3.6
php php 5.3.10
php php 5.3.5
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 5.4.1
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 5.3.6
php php 3.0.18
php php 5.3.4
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2012-2376 HIGH

Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on Windows allows remote attackers to execute arbitrary code via crafted arguments that trigger incorrect handling of COM object VARIANT types, as exploited in the wild in May 2012.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 1.0
php php 3.0.12
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.4.0
php php 5.2.13
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 4.4.3
php php 5.2.15
php php 5.4.2
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.0
php php 5.2.2
php php 5.3.7
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 5.3.8
php php 4.1.0
php php 5.0.2
php php 5.3.9
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.3.6
php php 5.3.5
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 5.4.1
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 5.3.6
php php 3.0.18
php php 5.3.4
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 4.0.3
php php 5.0.4
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2012-2386 HIGH

Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tar file that triggers a heap-based buffer overflow.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php *
CVE-2012-4388 MEDIUM

The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1398.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 11.10
canonical ubuntu_linux 8.04
canonical ubuntu_linux 12.04
php php 5.4.0
canonical ubuntu_linux 11.04
canonical ubuntu_linux 10.04
debian debian_linux 6.0
CVE-2012-5381 MEDIUM

Untrusted search path vulnerability in the installation functionality in PHP 5.3.17, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse DLL in the C:\PHP directory, which may be added to the PATH system environment variable by an administrator, as demonstrated by a Trojan horse wlbsctrl.dll file used by the "IKE and AuthIP IPsec Keying Modules" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview. NOTE: CVE disputes this issue because the unsafe PATH is established only by a separate administrative action that is not a default part of the PHP installation

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.3.17
CVE-2012-6113 MEDIUM

The openssl_encrypt function in ext/openssl/openssl.c in PHP 5.3.9 through 5.3.13 does not initialize a certain variable, which allows remote attackers to obtain sensitive information from process memory by providing zero bytes of input data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 5.3.10
php php 5.3.12
php php 5.3.11
php php 5.3.9
php php 5.3.13
CVE-2013-1635 HIGH

ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 5.3.12
php php 1.0
php php 3.0.12
php php 5.4.5
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.4.0
php php 5.2.13
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 5.3.17
php php 4.4.3
php php 5.3.20
php php 5.2.15
php php 5.4.2
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.15
php php 5.3.0
php php 5.2.2
php php 5.3.7
php php 5.3.11
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.4.6
php php 5.1.5
php php 5.2.11
php php 5.3.8
php php 4.1.0
php php 5.0.2
php php 5.3.9
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 5.4.8
php php 4.3.6
php php 5.3.10
php php 5.3.5
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.4.9
php php 5.1.3
php php 5.3.19
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 5.4.1
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 5.4.4
php php 5.4.7
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php 5.3.16
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.4.3
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.4.12
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 5.3.6
php php 3.0.18
php php 5.3.4
php php 5.3.13
php php 5.4.11
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 5.3.18
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 5.4.10
php php 4.0.3
php php 5.0.4
php php 5.3.14
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2013-1643 MEDIUM

The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-1824.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 5.3.12
php php 1.0
php php 3.0.12
php php 5.4.5
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.4.0
php php 5.2.13
php php 5.2.16
php php 5.0.3
php php 4.0.0
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 5.3.17
php php 4.4.3
php php 5.3.20
php php 5.2.15
php php 5.4.2
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.15
php php 5.3.0
php php 5.2.2
php php 5.3.7
php php 5.3.11
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.4.6
php php 5.1.5
php php 5.2.11
php php 5.3.8
php php 4.1.0
php php 5.0.2
php php 5.3.9
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 5.4.8
php php 4.3.6
php php 5.3.10
php php 5.3.5
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.4.9
php php 5.1.3
php php 5.3.19
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 5.4.1
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 5.4.4
php php 5.4.7
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 4.1.2
php php 5.3.16
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.4.3
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.4.12
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 5.3.6
php php 3.0.18
php php 5.3.4
php php 5.3.13
php php 5.4.11
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 5.3.18
php php 3.0.3
php php 3.0.7
php php 5.3.3
php php 5.4.10
php php 4.0.3
php php 5.0.4
php php 5.3.14
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2013-1824 MEDIUM

The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
php php *
apple mac_os_x *
redhat enterprise_linux 6.0
redhat enterprise_linux 5
CVE-2013-2110 MEDIUM

Heap-based buffer overflow in the php_quot_print_encode function in ext/standard/quot_print.c in PHP before 5.3.26 and 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted argument to the quoted_printable_encode function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 5.3.12
php php 1.0
php php 3.0.12
php php 5.4.5
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.4.0
php php 5.2.13
php php 5.2.16
php php 5.3.23
php php 5.0.3
php php 4.0.0
php php 5.3.21
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 5.3.17
php php 4.4.3
php php 5.3.20
php php 5.2.15
php php 5.4.2
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.15
php php 5.3.0
php php 5.2.2
php php 5.3.7
php php 5.3.11
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.4.6
php php 5.1.5
php php 5.2.11
php php 5.3.8
php php 4.1.0
php php 5.0.2
php php 5.3.9
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 5.4.8
php php 4.3.6
php php 5.3.10
php php 5.3.5
php php 5.4.14
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.4.9
php php 5.1.3
php php 5.3.24
php php 5.3.19
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 5.4.1
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 5.4.4
php php 5.4.7
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 5.4.13
php php 4.1.2
php php 5.3.16
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.4.3
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.4.12
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 5.3.6
php php 3.0.18
php php 5.3.4
php php 5.4.15
php php 5.3.13
php php 5.4.11
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 5.3.18
php php 3.0.3
php php 3.0.7
php php 5.3.22
php php 5.3.3
php php 5.4.10
php php 4.0.3
php php 5.0.4
php php 5.3.14
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2013-3735 MEDIUM

The Zend Engine in PHP before 5.4.16 RC1, and 5.5.0 before RC2, does not properly determine whether a parser error occurred, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted function definition, as demonstrated by an attack within a shared web-hosting environment. NOTE: the vendor's http://php.net/security-note.php page says "for critical security situations you should be using OS-level security by running multiple web servers each as their own user id.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.4.3
php php 5.4.8
php php 5.5.0
php php 5.4.13
php php 5.4.14
php php 5.4.10
php php 5.4.5
php php *
php php 5.4.6
php php 5.4.9
php php 5.4.11
php php 5.4.0
php php 5.4.12
php php 5.4.1
php php 5.4.2
php php 5.4.4
php php 5.4.7
CVE-2013-4113 MEDIUM

ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
php php *
CVE-2013-4248 MEDIUM

The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.3.26
php php 5.2.14
canonical ubuntu_linux 13.04
php php 5.3.12
php php 5.4.13
php php 5.3.25
php php 5.4.5
php php 5.4.16
php php 5.3.2
php php 5.3.16
php php *
php php 5.1.0
php php 5.4.0
php php 5.2.3
php php 5.2.13
php php 5.1.4
php php 5.1.2
php php 5.2.16
php php 5.3.23
php php 5.4.3
php php 5.0.3
php php 5.3.21
php php 5.2.10
redhat enterprise_linux 5
php php 5.0.1
php php 5.3.17
php php 5.2.4
canonical ubuntu_linux 12.10
php php 5.3.20
php php 5.4.12
php php 5.2.9
php php 5.2.15
php php 5.1.1
php php 5.4.2
php php 5.3.6
php php 5.2.6
php php 5.0.0
php php 5.5.0
php php 5.3.15
php php 5.3.0
php php 5.2.2
php php 5.3.4
php php 5.4.15
php php 5.3.7
php php 5.3.11
php php 5.3.13
php php 5.2.8
php php 5.2.12
php php 5.4.6
php php 5.4.11
php php 5.1.5
php php 5.2.11
php php 5.3.8
php php 5.5.1
php php 5.0.2
php php 5.3.9
php php 5.2.7
php php 5.2.5
canonical ubuntu_linux 12.04
php php 5.4.8
php php 5.1.6
php php 5.2.1
php php 5.3.18
php php 5.3.27
php php 5.3.10
php php 5.3.5
php php 5.3.22
php php 5.4.14
php php 5.3.3
php php 5.4.10
canonical ubuntu_linux 10.04
php php 5.4.9
php php 5.1.3
php php 5.0.4
php php 5.3.24
php php 5.3.14
php php 5.3.19
php php 5.0.5
php php 5.2.0
php php 5.4.1
php php 5.2.17
php php 5.3.1
php php 5.4.4
php php 5.4.7
CVE-2013-4433 MEDIUM

Cross-site scripting (XSS) vulnerability in XHProf before 0.9.4 allows remote attackers to inject arbitrary web script or HTML via the run parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
php xhprof *
php xhprof 0.9.1
php xhprof 0.9.0
php xhprof 0.9.2
CVE-2013-4635 MEDIUM

Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 5.3.12
php php 1.0
php php 3.0.12
php php 5.4.5
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.4.0
php php 5.2.13
php php 5.2.16
php php 5.3.23
php php 5.0.3
php php 4.0.0
php php 5.3.21
php php 5.2.10
php php 4.4.6
php php 5.0.1
php php 5.3.17
php php 4.4.3
php php 5.3.20
php php 5.2.15
php php 5.4.2
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.3.15
php php 5.3.0
php php 5.2.2
php php 5.3.7
php php 5.3.11
php php 3.0.13
php php 5.2.8
php php 5.2.12
php php 5.4.6
php php 5.1.5
php php 5.2.11
php php 5.3.8
php php 4.1.0
php php 5.0.2
php php 5.3.9
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 5.4.8
php php 4.3.6
php php 5.3.10
php php 5.3.5
php php 5.4.14
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.4.9
php php 5.1.3
php php 5.3.24
php php 5.3.19
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 5.4.1
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 5.4.4
php php 5.4.7
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 5.4.13
php php 4.1.2
php php 5.3.16
php php *
php php 5.2.3
php php 2.0
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.4.3
php php 2.0b10
php php 4.3.2
php php 3.0.14
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.4.12
php php 5.2.9
php php 5.1.1
php php 4.0.4
php php 4.3.9
php php 5.3.6
php php 3.0.18
php php 5.3.4
php php 5.4.15
php php 5.3.13
php php 5.4.11
php php 4.3.11
php php 4.4.0
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 5.3.18
php php 3.0.3
php php 3.0.7
php php 5.3.22
php php 5.3.3
php php 5.4.10
php php 4.0.3
php php 5.0.4
php php 5.3.14
php php 4.2.1
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2013-4636 MEDIUM

The mget function in libmagic/softmagic.c in the Fileinfo component in PHP 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via an MP3 file that triggers incorrect MIME type detection during access to an finfo object.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.4.3
php php 5.4.8
php php 5.4.13
php php 5.4.15
php php 5.4.14
php php 5.4.10
php php 5.4.5
php php 5.4.6
php php 5.4.9
php php 5.4.11
php php 5.4.0
php php 5.4.12
php php 5.4.1
php php 5.4.2
php php 5.4.4
php php 5.4.7
CVE-2013-6420 HIGH

The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.3.26
php php 5.3.12
php php 5.4.13
php php 5.3.25
php php 5.4.5
php php 5.4.16
php php 5.3.2
php php 5.3.16
php php *
php php 5.4.0
php php 5.4.19
php php 5.5.3
php php 5.3.23
php php 5.4.3
php php 5.5.4
php php 5.3.21
php php 5.4.18
php php 5.5.2
php php 5.3.17
php php 5.3.20
php php 5.4.12
php php 5.5.6
php php 5.4.2
php php 5.5.5
php php 5.3.6
apple mac_os_x *
php php 5.5.0
php php 5.3.15
php php 5.3.0
php php 5.3.4
php php 5.4.15
php php 5.3.7
php php 5.3.11
php php 5.3.13
php php 5.4.6
php php 5.4.11
php php 5.3.8
php php 5.5.1
php php 5.3.9
opensuse opensuse 12.3
opensuse opensuse 12.2
php php 5.4.8
php php 5.4.17
opensuse opensuse 13.1
php php 5.3.18
php php 5.3.10
php php 5.3.5
php php 5.3.22
php php 5.4.14
php php 5.4.22
php php 5.3.3
php php 5.4.10
php php 5.4.9
php php 5.3.24
php php 5.3.14
php php 5.3.19
php php 5.4.20
php php 5.4.21
php php 5.4.1
opensuse opensuse 11.4
php php 5.3.1
php php 5.4.4
php php 5.4.7
CVE-2013-6501 MEDIUM

The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
php php *
suse linux_enterprise_server 11.0
CVE-2013-6712 MEDIUM

The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
debian debian_linux 7.0
opensuse opensuse 12.2
apple mac_os_x *
canonical ubuntu_linux 12.04
opensuse opensuse 13.1
canonical ubuntu_linux 13.04
canonical ubuntu_linux 10.04
php php *
canonical ubuntu_linux 12.10
canonical ubuntu_linux 13.10
opensuse opensuse 11.4
debian debian_linux 6.0
opensuse opensuse 12.3
CVE-2013-7226 MEDIUM

Integer overflow in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an imagecrop function call with a large x dimension value, leading to a heap-based buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 5.5.4
php php 5.5.6
php php 5.5.0
php php 5.5.1
php php 5.5.3
php php 5.5.5
php php 5.5.7
php php 5.5.2
php php 5.5.8
CVE-2013-7327 MEDIUM

The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL pointer as a return value, a different vulnerability than CVE-2013-7226.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
php php 5.5.4
php php 5.5.0
php php 5.5.2
canonical ubuntu_linux 10.04
php php *
canonical ubuntu_linux 12.10
canonical ubuntu_linux 13.10
php php 5.5.6
php php 5.5.1
php php 5.5.3
php php 5.5.5
php php 5.5.7
CVE-2013-7328 MEDIUM

Multiple integer signedness errors in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allow remote attackers to cause a denial of service (application crash) or obtain sensitive information via an imagecrop function call with a negative value for the (1) x or (2) y dimension, a different vulnerability than CVE-2013-7226.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 5.5.4
php php 5.5.6
php php 5.5.0
php php 5.5.1
php php 5.5.3
php php 5.5.5
php php 5.5.7
php php 5.5.2
php php 5.5.8
CVE-2013-7345 MEDIUM

The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
debian debian_linux 8.0
christos_zoulas file *
debian debian_linux 6.0
CVE-2014-0185 HIGH

sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP before 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions for the UNIX socket, which allows local users to gain privileges via a crafted FastCGI client.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,

Products Affected

Vendor Product Version
php php *
CVE-2014-0207 MEDIUM

The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-20,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
debian debian_linux 8.0
oracle linux 7
opensuse opensuse 11.4
christos_zoulas file *
CVE-2014-0236 MEDIUM

file before 5.18, as used in the Fileinfo component in PHP before 5.6.0, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a zero root_storage value in a CDF file, related to cdf.c and readcdf.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php *
CVE-2014-0237 MEDIUM

The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
debian debian_linux 8.0
CVE-2014-0238 MEDIUM

The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
debian debian_linux 8.0
CVE-2014-1943 MEDIUM

Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
fine_free_file_project fine_free_file *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 12.10
canonical ubuntu_linux 13.10
canonical ubuntu_linux 10.04
debian debian_linux 6.0
CVE-2014-2020 MEDIUM

ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check data types, which might allow remote attackers to obtain sensitive information by using a (1) string or (2) array data type in place of a numeric data type, as demonstrated by an imagecrop function call with a string for the x dimension value, a different vulnerability than CVE-2013-7226.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php *
php php 5.5.4
php php 5.5.6
php php 5.5.0
php php 5.5.1
php php 5.5.3
php php 5.5.5
php php 5.5.7
php php 5.5.2
CVE-2014-2270 MEDIUM

softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
debian debian_linux 7.0
canonical ubuntu_linux 12.04
opensuse opensuse 13.1
debian debian_linux 8.0
canonical ubuntu_linux 10.04
php php *
canonical ubuntu_linux 12.10
canonical ubuntu_linux 13.10
file_project file *
opensuse opensuse 11.4
debian debian_linux 6.0
opensuse opensuse 12.3
CVE-2014-2497 MEDIUM

The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_tus 6.5
debian debian_linux 8.0
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.3
php php *
redhat enterprise_linux_server_aus 7.6
oracle solaris 11.2
redhat enterprise_linux_server_aus 6.5
debian debian_linux 7.0
redhat enterprise_linux_server_aus 7.3
canonical ubuntu_linux 12.04
redhat enterprise_linux_eus 6.5
suse linux_enterprise_server 11
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_eus 7.6
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_server_tus 7.7
canonical ubuntu_linux 14.04
redhat enterprise_linux_eus 7.7
canonical ubuntu_linux 16.04
suse linux_enterprise_software_development_kit 11
redhat enterprise_linux_server 6.0
canonical ubuntu_linux 15.10
CVE-2014-3478 MEDIUM

Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-119,

Products Affected

Vendor Product Version
php php 5.4.13
php php 5.4.26
christos_zoulas file *
christos_zoulas file 5.10
php php 5.4.5
php php 5.4.16
php php *
php php 5.5.13
christos_zoulas file 5.02
christos_zoulas file 5.11
php php 5.4.0
php php 5.4.19
php php 5.5.3
php php 5.5.11
php php 5.4.3
php php 5.5.4
php php 5.4.18
php php 5.5.2
christos_zoulas file 5.07
christos_zoulas file 5.12
php php 5.4.12
php php 5.5.6
php php 5.4.2
php php 5.5.5
christos_zoulas file 5.04
christos_zoulas file 5.03
php php 5.5.0
christos_zoulas file 5.16
php php 5.4.15
christos_zoulas file 5.05
php php 5.5.8
php php 5.4.25
php php 5.4.6
php php 5.4.11
php php 5.4.23
php php 5.5.1
php php 5.5.7
php php 5.4.28
christos_zoulas file 5.06
christos_zoulas file 5.09
christos_zoulas file 5.00
christos_zoulas file 5.14
php php 5.4.8
php php 5.4.17
php php 5.5.9
php php 5.5.12
php php 5.4.27
php php 5.4.14
php php 5.4.22
php php 5.4.10
christos_zoulas file 5.13
php php 5.4.9
php php 5.4.20
php php 5.4.21
php php 5.5.10
php php 5.4.24
php php 5.4.1
christos_zoulas file 5.01
christos_zoulas file 5.08
christos_zoulas file 5.17
christos_zoulas file 5.15
php php 5.4.4
php php 5.4.7
CVE-2014-3479 MEDIUM

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
debian debian_linux 8.0
oracle linux 7
file_project file *
opensuse opensuse 11.4
CVE-2014-3480 MEDIUM

The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,CWE-20,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
debian debian_linux 8.0
oracle linux 7
file_project file *
opensuse opensuse 11.4
CVE-2014-3487 MEDIUM

The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
debian debian_linux 8.0
oracle linux 7
file_project file *
opensuse opensuse 11.4
CVE-2014-3515 HIGH

The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
debian debian_linux 8.0
CVE-2014-3538 MEDIUM

file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
debian debian_linux 7.0
christos_zoulas file 5.03
christos_zoulas file 5.06
christos_zoulas file 5.09
christos_zoulas file 5.00
christos_zoulas file 5.14
debian debian_linux 8.0
christos_zoulas file 5.16
christos_zoulas file 5.05
christos_zoulas file *
christos_zoulas file 5.07
christos_zoulas file 5.10
christos_zoulas file 5.12
php php *
christos_zoulas file 5.13
christos_zoulas file 5.02
christos_zoulas file 5.11
christos_zoulas file 5.04
christos_zoulas file 5.01
christos_zoulas file 5.08
christos_zoulas file 5.17
christos_zoulas file 5.15
CVE-2014-3587 MEDIUM

Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 5.4.13
php php 5.4.26
christos_zoulas file 5.18
christos_zoulas file *
christos_zoulas file 5.10
php php 5.4.5
php php 5.4.16
php php *
php php 5.5.13
christos_zoulas file 5.02
christos_zoulas file 5.11
php php 5.4.0
php php 5.4.19
php php 5.5.3
php php 5.5.11
php php 5.4.3
php php 5.5.4
php php 5.4.18
php php 5.5.2
php php 5.5.14
christos_zoulas file 5.07
christos_zoulas file 5.12
php php 5.4.12
php php 5.5.6
php php 5.4.2
php php 5.5.5
christos_zoulas file 5.04
christos_zoulas file 5.03
php php 5.5.0
christos_zoulas file 5.16
php php 5.4.15
christos_zoulas file 5.05
php php 5.5.8
php php 5.4.25
php php 5.4.6
php php 5.4.11
php php 5.4.23
php php 5.5.1
php php 5.5.15
php php 5.5.7
php php 5.4.28
christos_zoulas file 5.06
christos_zoulas file 5.09
christos_zoulas file 5.00
christos_zoulas file 5.14
php php 5.4.8
php php 5.4.17
php php 5.5.9
php php 5.5.12
php php 5.4.27
php php 5.4.14
php php 5.4.22
php php 5.4.10
php php 5.4.29
christos_zoulas file 5.13
php php 5.4.9
php php 5.4.20
php php 5.4.21
php php 5.4.30
php php 5.5.10
php php 5.4.24
php php 5.4.1
christos_zoulas file 5.01
christos_zoulas file 5.08
christos_zoulas file 5.17
christos_zoulas file 5.15
php php 5.4.4
php php 5.4.7
CVE-2014-3597 MEDIUM

Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.4.13
php php 5.4.26
php php 5.4.5
php php 5.4.16
php php *
php php 5.5.13
php php 5.4.0
php php 5.4.19
php php 5.5.3
php php 5.5.11
php php 5.4.3
php php 5.5.4
php php 5.4.18
php php 5.5.2
php php 5.5.14
php php 5.4.12
php php 5.5.6
php php 5.4.2
php php 5.5.5
php php 5.5.0
php php 5.4.15
php php 5.5.8
php php 5.4.25
php php 5.4.6
php php 5.4.11
php php 5.4.23
php php 5.5.1
php php 5.5.15
php php 5.5.7
php php 5.4.28
php php 5.4.8
php php 5.4.17
php php 5.5.9
php php 5.5.12
php php 5.4.27
php php 5.4.14
php php 5.4.22
php php 5.4.10
php php 5.4.29
php php 5.4.9
php php 5.4.20
php php 5.4.21
php php 5.4.30
php php 5.5.10
php php 5.4.24
php php 5.4.1
php php 5.4.4
php php 5.4.7
CVE-2014-3622 MEDIUM

Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php *
CVE-2014-3668 MEDIUM

Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument to the xmlrpc_set_type function or (2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds read operation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.4.32
php php 5.6.0
php php 5.4.13
php php 5.4.26
php php 5.4.5
php php 5.4.16
php php *
php php 5.5.13
php php 5.4.0
php php 5.4.19
php php 5.5.3
php php 5.5.16
php php 5.4.31
php php 5.5.11
php php 5.6.1
php php 5.4.3
php php 5.5.4
php php 5.4.18
php php 5.5.2
php php 5.5.14
php php 5.4.12
php php 5.5.6
php php 5.4.2
php php 5.5.5
php php 5.5.17
php php 5.5.0
php php 5.4.15
php php 5.5.8
php php 5.4.25
php php 5.4.6
php php 5.4.11
php php 5.4.23
php php 5.5.1
php php 5.5.15
php php 5.5.7
php php 5.4.28
php php 5.4.8
php php 5.4.17
php php 5.5.9
php php 5.5.12
php php 5.4.27
php php 5.4.14
php php 5.4.22
php php 5.4.10
php php 5.4.29
php php 5.4.9
php php 5.4.20
php php 5.4.21
php php 5.4.30
php php 5.5.10
php php 5.4.24
php php 5.4.1
php php 5.4.4
php php 5.4.7
CVE-2014-3669 HIGH

Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 5.4.32
php php 5.6.0
php php 5.4.13
php php 5.4.26
php php 5.4.5
php php 5.4.16
php php *
php php 5.5.13
php php 5.4.0
php php 5.4.19
php php 5.5.3
php php 5.5.16
php php 5.4.31
php php 5.5.11
php php 5.6.1
php php 5.4.3
php php 5.5.4
php php 5.4.18
php php 5.5.2
php php 5.5.14
php php 5.4.12
php php 5.5.6
php php 5.4.2
php php 5.5.5
php php 5.5.17
php php 5.5.0
php php 5.4.15
php php 5.5.8
php php 5.4.25
php php 5.4.6
php php 5.4.11
php php 5.4.23
php php 5.5.1
php php 5.5.15
php php 5.5.7
php php 5.4.28
php php 5.4.8
php php 5.4.17
php php 5.5.9
php php 5.5.12
php php 5.4.27
php php 5.4.14
php php 5.4.22
php php 5.4.10
php php 5.4.29
php php 5.4.9
php php 5.4.20
php php 5.4.21
php php 5.4.30
php php 5.5.10
php php 5.4.24
php php 5.4.1
php php 5.4.4
php php 5.4.7
CVE-2014-3670 MEDIUM

The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted JPEG image with TIFF thumbnail data that is improperly handled by the exif_thumbnail function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.4.32
php php 5.6.0
php php 5.4.13
php php 5.4.26
php php 5.4.5
php php 5.4.16
php php *
php php 5.5.13
php php 5.4.0
php php 5.4.19
php php 5.5.3
php php 5.5.16
php php 5.4.31
php php 5.5.11
php php 5.6.1
php php 5.4.3
php php 5.5.4
php php 5.4.18
php php 5.5.2
php php 5.5.14
php php 5.4.12
php php 5.5.6
php php 5.4.2
php php 5.5.5
php php 5.5.17
php php 5.5.0
php php 5.4.15
php php 5.5.8
php php 5.4.25
php php 5.4.6
php php 5.4.11
php php 5.4.23
php php 5.5.1
php php 5.5.15
php php 5.5.7
php php 5.4.28
php php 5.4.8
php php 5.4.17
php php 5.5.9
php php 5.5.12
php php 5.4.27
php php 5.4.14
php php 5.4.22
php php 5.4.10
php php 5.4.29
php php 5.4.9
php php 5.4.20
php php 5.4.21
php php 5.4.30
php php 5.5.10
php php 5.4.24
php php 5.4.1
php php 5.4.4
php php 5.4.7
CVE-2014-3710 MEDIUM

The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 14.10
canonical ubuntu_linux 10.04
CVE-2014-3981 LOW

acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
php php *
CVE-2014-4049 MEDIUM

Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
php php 5.6.0
debian debian_linux 8.0
opensuse opensuse 11.3
CVE-2014-4670 MEDIUM

Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.4
php php 5.5.9
php php 5.5.0
php php 5.5.2
php php 5.5.12
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.6
php php 5.5.1
php php 5.5.3
php php 5.5.10
php php 5.5.5
php php 5.5.7
php php 5.5.11
CVE-2014-4698 MEDIUM

Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php *
CVE-2014-4721 LOW

The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
debian debian_linux 8.0
CVE-2014-5120 MEDIUM

gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.4.13
php php 5.4.26
php php 5.4.5
php php 5.4.16
php php 5.5.13
php php 5.4.0
php php 5.4.19
php php 5.5.3
php php 5.4.31
php php 5.5.11
php php 5.4.3
php php 5.5.4
php php 5.4.18
php php 5.5.2
php php 5.5.14
php php 5.4.12
php php 5.5.6
php php 5.4.2
php php 5.5.5
php php 5.5.0
php php 5.4.15
php php 5.5.8
php php 5.4.25
php php 5.4.6
php php 5.4.11
php php 5.4.23
php php 5.5.1
php php 5.5.15
php php 5.5.7
php php 5.4.28
php php 5.4.8
php php 5.4.17
php php 5.5.9
php php 5.5.12
php php 5.4.27
php php 5.4.14
php php 5.4.22
php php 5.4.10
php php 5.4.29
php php 5.4.9
php php 5.4.20
php php 5.4.21
php php 5.4.30
php php 5.5.10
php php 5.4.24
php php 5.4.1
php php 5.4.4
php php 5.4.7
CVE-2014-5459 LOW

The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions.

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
php php *
opensuse opensuse 13.1
opensuse evergreen 11.4
oracle solaris 11.2
opensuse opensuse 12.3
CVE-2014-8142 HIGH

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
php php 5.5.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.2
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2014-8626 HIGH

Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php *
php php 5.2.4
php php 5.2.3
php php 5.2.1
php php 5.2.0
php php 5.2.2
php php 5.2.5
CVE-2014-9425 HIGH

Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php *
apple mac_os_x *
CVE-2014-9426 HIGH

The apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempts to perform a free operation on a stack-based character array, which allows remote attackers to cause a denial of service (memory corruption or application crash) or possibly have unspecified other impact via unknown vectors. NOTE: this is disputed by the vendor because the standard erealloc behavior makes the free operation unreachable

CVSS 2.0

Severity: HIGH

Problem Type: CWE-17,

Products Affected

Vendor Product Version
php php *
CVE-2014-9427 HIGH

sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.5.19
php php 4.3.4
php php 3.0.6
php php 4.3.5
php php 5.2.14
php php 5.3.12
php php 1.0
php php 5.4.26
php php 5.3.28
php php 3.0.12
php php 4.2.2
php php 5.3.2
php php 3.0.9
php php 5.1.0
php php 3.0.2
php php 5.4.0
php php 5.2.13
php php 5.2.16
php php 5.3.23
php php 5.5.11
php php 5.0.3
php php 4.0.0
php php 5.3.21
php php 5.2.10
php php 4.4.6
php php 5.5.14
php php 5.0.1
php php 5.3.17
php php 4.4.3
php php 5.3.20
php php 5.2.15
php php 5.4.2
php php 3.0.4
php php 5.2.6
php php 3.0.1
php php 4.1.1
php php 5.0.0
php php 5.5.0
php php 5.3.15
php php 5.3.0
php php 5.2.2
php php 5.4.34
php php 5.3.7
php php 5.3.11
php php 3.0.13
php php 5.4.25
php php 5.2.8
php php 5.2.12
php php 5.1.5
php php 5.2.11
php php 5.3.8
php php 5.5.1
php php 4.1.0
php php 5.0.2
php php 5.4.28
php php 5.3.9
php php 5.2.7
php php 5.2.5
php php 4.2.3
php php 3.0
php php 3.0.5
php php 4.3.6
php php 5.4.17
php php 5.5.9
php php 5.3.10
php php 5.5.12
php php 5.3.5
php php 5.4.14
php php 5.4.22
php php 4.3.10
php php 4.0.7
php php 4.4.7
php php 4.4.9
php php 4.3.0
php php 5.1.3
php php 5.3.24
php php 5.3.19
php php 5.4.20
php php 5.4.21
php php 5.4.30
php php 5.0.5
php php 5.2.0
php php 4.4.5
php php 5.4.1
php php 4.0.6
php php 5.3.1
php php 3.0.11
php php 4.3.8
php php 5.3.26
php php 4.0.5
php php 3.0.16
php php 3.0.17
php php 5.6.0
php php 5.6.3
php php 5.4.13
php php 5.3.25
php php 5.4.16
php php 4.1.2
php php 5.3.16
php php 5.5.13
php php 5.5.20
php php 5.2.3
php php 2.0
php php 5.4.19
php php 5.5.3
php php 5.1.4
php php 5.1.2
php php 4.0.2
php php 5.4.3
php php 5.5.4
php php 2.0b10
php php 4.3.2
php php 5.4.18
php php 3.0.14
php php 5.5.2
php php 4.4.1
php php 4.4.2
php php 4.3.3
php php 3.0.10
php php 4.4.4
php php 5.6.2
php php 3.0.15
php php 5.2.4
php php 3.0.8
php php 5.4.12
php php 5.2.9
php php 5.5.6
php php 5.1.1
php php 5.4.36
php php 5.5.5
php php 4.0.4
php php 4.3.9
php php 5.3.6
php php 3.0.18
php php 5.6.4
php php 5.5.18
php php 5.3.4
php php 5.4.15
php php 5.5.8
php php 5.3.13
php php 5.4.11
php php 4.3.11
php php 5.4.23
php php 4.4.0
php php 5.5.7
php php 4.0.1
php php 4.3.7
php php 4.0
php php 4.2.0
php php 5.1.6
php php 5.2.1
php php 5.3.18
php php 5.3.27
php php 3.0.3
php php 5.4.27
php php 3.0.7
php php 5.3.22
php php 5.3.3
php php 5.4.10
php php 5.4.29
php php 5.4.35
php php 4.0.3
php php 5.0.4
php php 5.3.14
php php 4.2.1
php php 5.5.10
php php 5.4.24
php php 4.3.1
php php 5.2.17
php php 4.4.8
CVE-2014-9652 MEDIUM

The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
file_project file *
php php 5.5.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.2
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2014-9653 HIGH

readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
file_project file *
php php 5.5.7
php php 5.5.11
debian debian_linux 7.0
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.2
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2014-9705 HIGH

Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
php php 5.5.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2014-9709 MEDIUM

The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
libgd libgd *
opensuse opensuse 13.1
debian debian_linux 8.0
canonical ubuntu_linux 16.04
opensuse opensuse 13.2
canonical ubuntu_linux 15.10
CVE-2014-9767 MEDIUM

Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.6.11
php php 5.5.22
php php 5.5.8
hiphop_virtual_machine_for_php_project hiphop_virtual_machine_for_php *
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.6.10
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.28
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.27
php php 5.5.26
CVE-2014-9912 HIGH

The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.5.0
php php 5.4.13
php php 5.4.15
php php 5.4.26
php php 5.5.8
php php 5.4.5
php php 5.4.16
php php 5.4.25
php php *
php php 5.5.13
php php 5.4.6
php php 5.4.11
php php 5.4.0
php php 5.4.19
php php 5.4.23
php php 5.5.1
php php 5.5.3
php php 5.5.7
php php 5.4.28
php php 5.5.11
php php 5.4.3
php php 5.4.8
php php 5.5.4
php php 5.4.17
php php 5.5.9
php php 5.4.18
php php 5.5.2
php php 5.5.12
php php 5.4.27
php php 5.4.14
php php 5.4.22
php php 5.4.10
php php 5.4.29
php php 5.4.9
php php 5.4.12
php php 5.5.6
php php 5.4.20
php php 5.4.21
php php 5.5.10
php php 5.4.24
php php 5.4.1
php php 5.4.2
php php 5.5.5
php php 5.4.4
php php 5.4.7
CVE-2015-0231 HIGH

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.19
php php 5.6.0
php php 5.6.3
php php 5.4.13
php php 5.4.26
php php 5.4.5
php php 5.4.16
php php *
php php 5.5.13
php php 5.5.20
php php 5.4.0
php php 5.4.19
php php 5.5.3
php php 5.5.16
php php 5.5.11
php php 5.6.1
php php 5.4.3
php php 5.5.4
php php 5.4.18
php php 5.5.2
php php 5.5.14
php php 5.6.2
php php 5.4.12
php php 5.5.6
php php 5.4.2
php php 5.5.5
php php 5.5.17
php php 5.6.4
php php 5.5.18
php php 5.5.0
php php 5.4.15
php php 5.4.34
php php 5.5.8
php php 5.4.25
php php 5.4.6
php php 5.4.11
php php 5.4.23
php php 5.5.1
php php 5.5.15
php php 5.5.7
php php 5.4.28
php php 5.4.8
php php 5.4.17
php php 5.5.9
php php 5.5.12
php php 5.4.27
php php 5.4.14
php php 5.4.22
php php 5.4.10
php php 5.4.29
php php 5.4.9
php php 5.4.35
php php 5.4.20
php php 5.4.21
php php 5.4.30
php php 5.5.10
php php 5.4.24
php php 5.4.1
php php 5.4.4
php php 5.4.7
CVE-2015-0232 MEDIUM

The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.19
php php 5.6.0
php php 5.6.3
php php 5.4.13
php php 5.4.26
php php 5.4.5
php php 5.4.16
php php *
php php 5.5.13
php php 5.5.20
php php 5.4.0
php php 5.4.19
php php 5.5.3
php php 5.5.16
php php 5.5.11
php php 5.6.1
php php 5.4.3
php php 5.5.4
php php 5.4.18
php php 5.5.2
php php 5.5.14
php php 5.6.2
php php 5.4.12
php php 5.5.6
php php 5.4.2
php php 5.5.5
php php 5.5.17
php php 5.6.4
php php 5.5.18
php php 5.5.0
php php 5.4.15
php php 5.4.34
php php 5.5.8
php php 5.4.25
php php 5.4.6
php php 5.4.11
php php 5.4.23
php php 5.5.1
php php 5.5.15
php php 5.5.7
php php 5.4.28
php php 5.4.8
php php 5.4.17
php php 5.5.9
php php 5.5.12
php php 5.4.27
php php 5.4.14
php php 5.4.22
php php 5.4.10
php php 5.4.29
php php 5.4.9
php php 5.4.35
php php 5.4.20
php php 5.4.21
php php 5.4.30
php php 5.5.10
php php 5.4.24
php php 5.4.1
php php 5.4.4
php php 5.4.7
CVE-2015-0235 HIGH

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
oracle communications_lsms 13.1
apple mac_os_x *
debian debian_linux 8.0
oracle communications_session_border_controller *
oracle communications_eagle_lnp_application_processor 10.0
oracle communications_policy_management 9.9.1
oracle communications_policy_management 12.1.1
oracle communications_user_data_repository *
php php *
ibm security_access_manager_for_enterprise_single_sign-on 8.2
oracle communications_session_border_controller 7.2.0
oracle communications_application_session_controller *
oracle communications_webrtc_session_controller 7.0
ibm pureapplication_system 1.0.0.0
oracle communications_policy_management 10.4.1
oracle communications_webrtc_session_controller 7.1
debian debian_linux 7.0
gnu glibc *
ibm pureapplication_system 2.0.0.0
oracle vm_virtualbox *
ibm pureapplication_system 1.1.0.0
oracle linux 7
redhat virtualization 6.0
oracle communications_eagle_application_processor 16.0
oracle communications_policy_management 11.5
oracle communications_session_border_controller 8.0.0
oracle exalogic_infrastructure 2.0
oracle communications_webrtc_session_controller 7.2
oracle exalogic_infrastructure 1.0
oracle communications_policy_management 9.7.3
oracle linux 5
CVE-2015-0273 HIGH

Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allow remote attackers to execute arbitrary code via crafted serialized input containing a (1) R or (2) r type specifier in (a) DateTimeZone data handled by the php_date_timezone_initialize_from_hash function or (b) DateTime data handled by the php_date_initialize_from_hash function.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
php php 5.5.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2015-1351 HIGH

Use-after-free vulnerability in the _zend_shared_memdup function in zend_shared_alloc.c in the OPcache extension in PHP through 5.6.7 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php *
apple mac_os_x *
oracle linux 6
oracle linux 7
oracle solaris 11.2
oracle secure_backup *
CVE-2015-1352 MEDIUM

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate token extraction for table names, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted name.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php *
apple mac_os_x *
CVE-2015-2301 HIGH

Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
debian debian_linux 7.0
apple mac_os_x *
canonical ubuntu_linux 12.04
redhat enterprise_linux_desktop 7.0
opensuse opensuse 13.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
canonical ubuntu_linux 14.10
canonical ubuntu_linux 10.04
redhat enterprise_linux_hpc_node 7.0
php php *
canonical ubuntu_linux 14.04
opensuse opensuse 13.2
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
CVE-2015-2305 MEDIUM

Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
opensuse opensuse 13.1
debian debian_linux 8.0
rxspencer_project rxspencer 3.8.g5
opensuse opensuse 13.2
canonical ubuntu_linux 14.10
canonical ubuntu_linux 10.04
canonical ubuntu_linux 15.04
CVE-2015-2325 MEDIUM

The compile_branch function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code, cause a denial of service (out-of-bounds heap read and crash), or possibly have other unspecified impact via a regular expression with a group containing a forward reference repeated a large number of times within a repeated outer group that has a zero minimum quantifier.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-787,

Products Affected

Vendor Product Version
php php *
mariadb mariadb *
opensuse opensuse 13.1
pcre pcre *
opensuse opensuse 13.2
CVE-2015-2326 MEDIUM

The pcre_compile2 function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code and cause a denial of service (out-of-bounds read) via regular expression with a group containing both a forward referencing subroutine call and a recursive back reference, as demonstrated by "((?+1)(\1))/".

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php *
mariadb mariadb *
opensuse opensuse 13.1
pcre pcre *
opensuse opensuse 13.2
CVE-2015-2331 HIGH

Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.5.22
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
opensuse opensuse 13.2
php php 5.5.7
php php 5.5.11
debian debian_linux 7.0
php php 5.6.1
fedoraproject fedora 22
php php 5.5.4
opensuse opensuse 13.1
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
nih libzip *
CVE-2015-2348 MEDIUM

The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
apple mac_os_x *
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
opensuse opensuse 13.2
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.5.11
php php 5.6.1
php php 5.5.4
opensuse opensuse 13.1
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2015-2783 MEDIUM

ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read and application crash) via a crafted length value in conjunction with crafted serialized data in a phar archive, related to the phar_parse_metadata and phar_parse_pharfile functions.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.5.23
apple mac_os_x *
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.5.10
php php 5.5.5
CVE-2015-2787 HIGH

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
apple mac_os_x *
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
apple mac_os_x 10.10.3
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
opensuse opensuse 13.2
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.5.11
php php 5.6.1
php php 5.5.4
opensuse opensuse 13.1
php php 5.5.9
php php 5.5.21
apple mac_os_x 10.10.4
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
apple mac_os_x 10.9.5
php php 5.6.6
apple mac_os_x 10.10.0
apple mac_os_x 10.10.1
apple mac_os_x 10.10.2
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2015-3152 MEDIUM

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
redhat enterprise_linux_eus 7.5
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_desktop 7.0
mariadb mariadb *
debian debian_linux 8.0
redhat enterprise_linux_eus 7.2
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_eus 7.1
redhat enterprise_linux_eus 7.3
php php *
oracle mysql *
redhat enterprise_linux_server_aus 7.6
fedoraproject fedora 21
oracle mysql_connector/c *
fedoraproject fedora 22
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_eus 7.6
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server_aus 7.4
CVE-2015-3307 HIGH

The phar_parse_metadata function in ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (heap metadata corruption) or possibly have unspecified other impact via a crafted tar archive.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.5.23
apple mac_os_x *
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.5.10
php php 5.5.5
CVE-2015-3329 HIGH

Multiple stack-based buffer overflows in the phar_set_inode function in phar_internal.h in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allow remote attackers to execute arbitrary code via a crafted length value in a (1) tar, (2) phar, or (3) ZIP archive.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.5.23
apple mac_os_x *
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
apple mac_os_x 10.10.3
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.7
oracle solaris 11.2
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
oracle linux 6
oracle linux 7
apple mac_os_x 10.10.4
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
apple mac_os_x 10.9.5
php php 5.6.6
apple mac_os_x 10.10.0
apple mac_os_x 10.10.1
redhat enterprise_linux 6.0
apple mac_os_x 10.10.2
php php 5.5.6
php php 5.5.10
php php 5.5.5
CVE-2015-3330 MEDIUM

The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, when the Apache HTTP Server 2.4.x is used, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via pipelined HTTP requests that result in a "deconfigured interpreter."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.5.23
apple mac_os_x *
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.7
oracle solaris 11.2
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
oracle linux 6
oracle linux 7
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.5.10
php php 5.5.5
CVE-2015-3411 MEDIUM

PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that bypasses an intended configuration in which client users may read only .xml files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
php php 5.6.1
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2015-3412 MEDIUM

PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-254,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
php php 5.6.1
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2015-3414 HIGH

SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-908,

Products Affected

Vendor Product Version
php php *
sqlite sqlite *
canonical ubuntu_linux 12.04
apple mac_os_x 10.10.5
apple watchos 1.0.1
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 15.04
CVE-2015-3415 HIGH

The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-404,

Products Affected

Vendor Product Version
php php *
sqlite sqlite *
canonical ubuntu_linux 12.04
apple mac_os_x 10.10.5
apple watchos 1.0.1
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 15.04
CVE-2015-3416 HIGH

The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php *
sqlite sqlite *
apple mac_os_x *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
debian debian_linux 8.0
apple watchos *
canonical ubuntu_linux 15.04
CVE-2015-4021 MEDIUM

The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first character of a filename is different from the \0 character, which allows remote attackers to cause a denial of service (integer underflow and memory corruption) via a crafted entry in a tar archive.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 5.5.23
apple mac_os_x *
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.4.39
php php 5.5.10
php php 5.5.5
CVE-2015-4022 HIGH

Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 5.5.23
apple mac_os_x *
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.4.39
php php 5.5.10
php php 5.5.5
CVE-2015-4024 MEDIUM

Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote attackers to cause a denial of service (CPU consumption) via crafted form data that triggers an improper order-of-growth outcome.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php 5.5.23
apple mac_os_x *
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.7
oracle solaris 11.2
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
oracle linux 6
oracle linux 7
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.4.39
php php 5.5.10
php php 5.5.5
hp system_management_homepage *
CVE-2015-4025 HIGH

PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character in certain situations, which allows remote attackers to bypass intended extension restrictions and access files or directories with unexpected names via a crafted argument to (1) set_include_path, (2) tempnam, (3) rmdir, or (4) readlink. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-19,

Products Affected

Vendor Product Version
php php 5.5.23
apple mac_os_x *
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.4.39
php php 5.5.10
php php 5.5.5
CVE-2015-4026 HIGH

The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-19,

Products Affected

Vendor Product Version
php php 5.5.23
apple mac_os_x *
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.4.39
php php 5.5.10
php php 5.5.5
CVE-2015-4116 HIGH

Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.6.1
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.8
opensuse leap 42.1
php php 5.6.5
php php 5.6.2
php php *
php php 5.6.6
php php 5.6.9
php php 5.6.10
php php 5.6.7
CVE-2015-4147 HIGH

The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that __default_headers is an array, which allows remote attackers to execute arbitrary code by providing crafted serialized data with an unexpected data type, related to a "type confusion" issue.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-19,

Products Affected

Vendor Product Version
apple mac_os_x *
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.5.11
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.6
php php 5.5.10
php php 5.5.5
CVE-2015-4148 MEDIUM

The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
apple mac_os_x *
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.5.11
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.6
php php 5.5.10
php php 5.5.5
CVE-2015-4598 HIGH

PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may write to only .html files.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
php php 5.5.25
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
php php 5.6.1
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2015-4599 HIGH

The SoapFault::__toString method in ext/soap/soap.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information, cause a denial of service (application crash), or possibly execute arbitrary code via an unexpected data type, related to a "type confusion" issue.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2015-4600 HIGH

The SoapClient implementation in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to "type confusion" issues in the (1) SoapClient::__getLastRequest, (2) SoapClient::__getLastResponse, (3) SoapClient::__getLastRequestHeaders, (4) SoapClient::__getLastResponseHeaders, (5) SoapClient::__getCookies, and (6) SoapClient::__setCookie methods.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2015-4601 HIGH

PHP before 5.6.7 might allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to "type confusion" issues in (1) ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3) ext/soap/soap.c, a different issue than CVE-2015-4600.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php *
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
redhat enterprise_linux_hpc_node 7.0
CVE-2015-4602 HIGH

The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to a "type confusion" issue.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
php php 5.6.1
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2015-4603 HIGH

The exception::getTraceAsString function in Zend/zend_exceptions.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to execute arbitrary code via an unexpected data type, related to a "type confusion" issue.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
php php 5.6.1
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2015-4604 MEDIUM

The mget function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly maintain a certain pointer relationship, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string that is mishandled by a "Python script text executable" rule.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
php php 5.6.1
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2015-4605 MEDIUM

The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly restrict a certain offset value, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string that is mishandled by a "Python script text executable" rule.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
redhat enterprise_linux_desktop 7.0
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php 5.5.22
php php 5.5.8
redhat enterprise_linux_hpc_node 7.0
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
php php 5.5.7
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_hpc_node_eus 7.1
php php 5.6.7
php php 5.5.11
php php 5.6.1
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.6.6
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2015-4642 HIGH

The escapeshellarg function in ext/standard/exec.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 on Windows allows remote attackers to execute arbitrary OS commands via a crafted string to an application that accepts command-line arguments for a call to the PHP system function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.5.22
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2015-4643 HIGH

Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4022.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 7.0
debian debian_linux 8.0
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
php php *
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_eus 7.1
redhat enterprise_linux_server_eus 7.2
debian debian_linux 7.0
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_eus 7.5
redhat enterprise_linux_server_tus 6.6
oracle linux 6
oracle linux 7
redhat enterprise_linux_server_aus 6.6
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_eus 7.4
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_server_eus 7.3
redhat enterprise_linux_server_eus 6.6
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux_server_aus 7.4
CVE-2015-4644 MEDIUM

The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extraction for table names, which might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1352.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.5.22
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.5.15
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.11
php php 5.6.1
redhat enterprise_linux 7.0
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
redhat enterprise_linux 6.0
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
CVE-2015-5589 HIGH

The phar_convert_to_other function in ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 does not validate a file pointer before a close operation, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted TAR archive that is mishandled in a Phar::convertToData call.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.5.22
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.6.10
php php 5.5.15
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
php php 5.5.26
CVE-2015-5590 HIGH

Stack-based buffer overflow in the phar_fix_filepath function in ext/phar/phar.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large length value, as demonstrated by mishandling of an e-mail attachment by the imap PHP extension.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.5.22
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.6.10
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.26
CVE-2015-6527 HIGH

The php_str_replace_in_subject function in ext/standard/string.c in PHP 7.x before 7.0.0 allows remote attackers to execute arbitrary code via a crafted value in the third argument to the str_ireplace function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
php php 7.0.0
CVE-2015-6831 HIGH

Multiple use-after-free vulnerabilities in SPL in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allow remote attackers to execute arbitrary code via vectors involving (1) ArrayObject, (2) SplObjectStorage, and (3) SplDoublyLinkedList, which are mishandled during unserialization.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
debian debian_linux 8.0
CVE-2015-6832 HIGH

Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute arbitrary code via crafted serialized data that triggers misuse of an array field.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.6.11
php php 5.5.22
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.6.10
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.27
php php 5.5.26
CVE-2015-6833 MEDIUM

Directory traversal vulnerability in the PharData class in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to write to arbitrary files via a .. (dot dot) in a ZIP archive entry that is mishandled during an extractTo call.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.6.11
php php 5.5.22
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.6.10
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.27
php php 5.5.26
CVE-2015-6834 HIGH

Multiple use-after-free vulnerabilities in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 allow remote attackers to execute arbitrary code via vectors related to (1) the Serializable interface, (2) the SplObjectStorage class, and (3) the SplDoublyLinkedList class, which are mishandled during unserialization.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.6.11
php php 5.5.22
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.6.10
php php 5.5.15
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.28
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
php php 5.5.27
php php 5.5.26
CVE-2015-6835 HIGH

The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.6.11
php php 5.5.22
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.6.10
php php 5.5.15
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.28
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
php php 5.5.27
php php 5.5.26
CVE-2015-6836 HIGH

The SoapClient __call method in ext/soap/soap.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 does not properly manage headers, which allows remote attackers to execute arbitrary code via crafted serialized data that triggers a "type confusion" in the serialize_function_call function.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.6.11
php php 5.5.22
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.6.10
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.28
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.27
php php 5.5.26
CVE-2015-6837 MEDIUM

The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during initial error checking, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.6.11
php php 5.5.22
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.6.10
php php 5.5.15
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.28
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
php php 5.5.27
xmlsoft libxml2 *
php php 5.5.26
CVE-2015-6838 MEDIUM

The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.6.11
php php 5.5.22
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.6.10
php php 5.5.15
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.28
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
php php 5.5.27
xmlsoft libxml2 *
php php 5.5.26
CVE-2015-7803 MEDIUM

The phar_get_entry_data function in ext/phar/util.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a .phar file with a crafted TAR archive entry in which the Link indicator references a file that does not exist.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.6.1
php php 5.6.13
apple mac_os_x *
php php 5.6.4
php php 5.6.3
php php 5.6.11
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php *
php php 5.6.6
php php 5.6.9
php php 5.6.10
php php 5.6.7
CVE-2015-7804 MEDIUM

Off-by-one error in the phar_parse_zipfile function in ext/phar/zip.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (uninitialized pointer dereference and application crash) by including the / filename in a .zip PHAR archive.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 5.6.1
php php 5.6.13
apple mac_os_x *
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php *
php php 5.6.6
php php 5.6.9
php php 5.6.10
php php 5.6.7
CVE-2015-8383 HIGH

PCRE before 8.38 mishandles certain repeated conditional groups, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php *
fedoraproject fedora 22
pcre perl_compatible_regular_expression_library *
CVE-2015-8386 HIGH

PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php *
fedoraproject fedora 22
pcre perl_compatible_regular_expression_library *
oracle linux 7
CVE-2015-8387 HIGH

PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php *
fedoraproject fedora 22
pcre perl_compatible_regular_expression_library *
CVE-2015-8389 HIGH

PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related patterns, which allows remote attackers to cause a denial of service (infinite recursion) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,CWE-185,

Products Affected

Vendor Product Version
php php *
fedoraproject fedora 22
pcre perl_compatible_regular_expression_library *
CVE-2015-8390 HIGH

PCRE before 8.38 mishandles the [: and \\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-908,

Products Affected

Vendor Product Version
php php *
fedoraproject fedora 22
pcre perl_compatible_regular_expression_library *
CVE-2015-8391 HIGH

The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
redhat enterprise_linux_eus 7.5
fedoraproject fedora 22
redhat enterprise_linux_server_aus 7.3
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_desktop 7.0
oracle linux 7
redhat enterprise_linux_eus 7.2
redhat enterprise_linux_eus 7.4
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_server_tus 7.3
redhat enterprise_linux_eus 7.6
redhat enterprise_linux_eus 7.3
php php *
redhat enterprise_linux_server_aus 7.2
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_server_tus 7.2
pcre pcre *
redhat enterprise_linux_server_aus 7.4
CVE-2015-8393 MEDIUM

pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php *
fedoraproject fedora 22
pcre perl_compatible_regular_expression_library *
CVE-2015-8394 HIGH

PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php *
pcre perl_compatible_regular_expression_library *
CVE-2015-8616 HIGH

Use-after-free vulnerability in the Collator::sortWithSortKeys function in ext/intl/collator/collator_sort.c in PHP 7.x before 7.0.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging the relationships between a key buffer and a destroyed array.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 7.0.0
CVE-2015-8617 HIGH

Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-134,

Products Affected

Vendor Product Version
php php 7.0.1
CVE-2015-8835 HIGH

The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not properly retrieve keys, which allows remote attackers to cause a denial of service (NULL pointer dereference, type confusion, and application crash) or possibly execute arbitrary code via crafted serialized data representing a numerically indexed _cookies array, related to the SoapClient::__call method in ext/soap/soap.c.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.6.11
php php 5.5.22
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.6.10
php php 5.5.15
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
php php 5.5.27
php php 5.5.26
CVE-2015-8838 MEDIUM

ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.5.22
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.6.10
php php 5.5.15
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
php php 5.5.26
CVE-2015-8865 HIGH

The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
apple mac_os_x *
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.14
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
php php 7.0.0
CVE-2015-8866 MEDIUM

ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
php php *
suse linux_enterprise_module_for_web_scripting 12
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
opensuse opensuse 13.2
canonical ubuntu_linux 15.10
opensuse leap 42.1
suse linux_enterprise_software_development_kit 12
CVE-2015-8867 MEDIUM

The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseudo_bytes function, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 15.10
CVE-2015-8873 MEDIUM

Stack consumption vulnerability in Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to cause a denial of service (segmentation fault) via recursive method calls.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php *
opensuse leap 42.1
CVE-2015-8874 MEDIUM

Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php *
opensuse leap 42.1
CVE-2015-8876 HIGH

Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not validate certain Exception objects, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger unintended method execution via crafted serialized data.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php *
CVE-2015-8877 MEDIUM

The gdImageScaleTwoPass function in gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.2.0, as used in PHP before 5.6.12, uses inconsistent allocate and free approaches, which allows remote attackers to cause a denial of service (memory consumption) via a crafted call, as demonstrated by a call to the PHP imagescale function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
php php *
libgd libgd *
CVE-2015-8878 HIGH

main/php_open_temporary_file.c in PHP before 5.5.28 and 5.6.x before 5.6.12 does not ensure thread safety, which allows remote attackers to cause a denial of service (race condition and heap memory corruption) by leveraging an application that performs many temporary-file accesses.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,CWE-362,

Products Affected

Vendor Product Version
php php *
CVE-2015-8879 MEDIUM

The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php *
CVE-2015-8880 HIGH

Double free vulnerability in the format printer in PHP 7.x before 7.0.1 allows remote attackers to have an unspecified impact by triggering an error.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,

Products Affected

Vendor Product Version
php php 7.0.0
CVE-2015-8935 MEDIUM

The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.5.8
php php *
php php 5.5.13
php php 5.5.20
php php 5.5.1
php php 5.5.3
php php 5.5.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.5
php php 5.6.2
php php 5.5.6
php php 5.5.10
php php 5.5.5
CVE-2015-8994 MEDIUM

An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issue is resolved in a non-default configuration with the opcache.validate_permission=1 setting. The vulnerability details are as follows. In PHP SAPIs where PHP interpreters share a common parent process, Zend OpCache creates a shared memory object owned by the common parent during initialization. Child PHP processes inherit the SHM descriptor, using it to cache and retrieve compiled script bytecode ("opcode" in PHP jargon). Cache keys vary depending on configuration, but filename is a central key component, and compiled opcode can generally be run if a script's filename is known or can be guessed. Many common shared-hosting configurations change EUID in child processes to enforce privilege separation among hosted users (for example using mod_ruid2 for the Apache HTTP Server, or php-fpm user settings). In these scenarios, the default Zend OpCache behavior defeats script file permissions by sharing a single SHM cache among all child PHP processes. PHP scripts often contain sensitive information: Think of CMS configurations where reading or running another user's script usually means gaining privileges to the CMS database.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
php php *
CVE-2015-9253 MEDIUM

An issue was discovered in PHP 7.3.x before 7.3.0alpha3, 7.2.x before 7.2.8, and before 7.1.20. The php-fpm master process restarts a child process in an endless loop when using program execution functions (e.g., passthru, exec, shell_exec, or system) with a non-blocking STDIN stream, causing this master process to consume 100% of the CPU, and consume disk space with a large volume of error logs, as demonstrated by an attack by a customer of a shared-hosting facility.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
php php *
php php 7.3.0
CVE-2016-10158 MEDIUM

The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable negative integer by -1.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.14
php php 7.0.9
php php 7.0.13
php php 7.0.11
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php *
php php 7.0.1
php php 7.1.0
php php 7.0.12
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-10159 MEDIUM

Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php *
php php 7.1.0
debian debian_linux 8.0
CVE-2016-10160 HIGH

Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-193,

Products Affected

Vendor Product Version
php php *
netapp clustered_data_ontap -
debian debian_linux 8.0
CVE-2016-10161 MEDIUM

The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.14
php php 7.0.9
php php 7.0.13
php php 7.0.11
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php *
php php 7.0.1
php php 7.1.0
php php 7.0.12
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-10162 MEDIUM

The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.14
php php 7.0.9
php php 7.0.13
php php 7.0.11
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php 7.0.1
php php 7.1.0
php php 7.0.12
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-10397 MEDIUM

In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:80?@good.example.com/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.9
php php 7.0.11
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php *
php php 7.0.1
php php 7.0.12
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-10712 MEDIUM

In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads). For example, a "$uri = stream_get_meta_data(fopen($file, "r"))['uri']" call mishandles the case where $file is data:text/plain;uri=eviluri, -- in other words, metadata can be set by an attacker.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
canonical ubuntu_linux 17.10
CVE-2016-1283 HIGH

The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php *
fedoraproject fedora 22
pcre pcre 8.38
fedoraproject fedora 23
oracle solaris 11.3
CVE-2016-1903 MEDIUM

The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a large bgd_color argument to the imagerotate function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-200,

Products Affected

Vendor Product Version
php php 5.6.1
php php 5.6.13
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php *
php php 5.6.6
php php 5.6.9
php php 7.0.1
php php 5.6.10
php php 5.6.15
php php 5.6.16
php php 5.6.14
php php 5.6.7
php php 7.0.0
CVE-2016-1904 HIGH

Multiple integer overflows in ext/standard/exec.c in PHP 7.x before 7.0.2 allow remote attackers to cause a denial of service or possibly have unspecified other impact via a long string to the (1) php_escape_shell_cmd or (2) php_escape_shell_arg function, leading to a heap-based buffer overflow.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 7.0.1
php php 7.0.0
CVE-2016-2554 HIGH

Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.6.1
php php 5.6.13
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php *
php php 5.6.6
php php 5.6.17
php php 5.6.9
php php 7.0.1
php php 5.6.10
php php 5.6.15
php php 5.6.16
php php 5.6.14
php php 7.0.2
php php 5.6.7
php php 7.0.0
CVE-2016-3074 HIGH

Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-681,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 16.04
opensuse opensuse 13.2
canonical ubuntu_linux 15.10
fedoraproject fedora 23
fedoraproject fedora 24
libgd libgd 2.1.1
CVE-2016-3078 HIGH

Multiple integer overflows in php_zip.c in the zip extension in PHP before 7.0.6 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted call to (1) getFromIndex or (2) getFromName in the ZipArchive class.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php *
CVE-2016-3132 HIGH

Double free vulnerability in the SplDoublyLinkedList::offsetSet function in ext/spl/spl_dllist.c in PHP 7.x before 7.0.6 allows remote attackers to execute arbitrary code via a crafted index.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,

Products Affected

Vendor Product Version
php php 7.0.1
php php 7.0.4
php php 7.0.5
php php 7.0.2
php php 7.0.3
php php 7.0.0
CVE-2016-3141 HIGH

Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.6.1
php php 5.6.13
apple mac_os_x *
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.18
php php 5.6.11
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php *
php php 5.6.6
php php 5.6.17
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.16
php php 5.6.14
php php 5.6.7
CVE-2016-3142 MEDIUM

The phar_parse_zipfile function in zip.c in the PHAR extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.6.1
php php 5.6.13
apple mac_os_x *
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.18
php php 5.6.11
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php *
php php 5.6.6
php php 5.6.17
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.16
php php 5.6.14
php php 5.6.7
CVE-2016-3185 MEDIUM

The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (type confusion and application crash) via crafted serialized _cookies data, related to the SoapClient::__call method in ext/soap/soap.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.6.4
php php 5.5.19
php php 5.6.0
php php 5.5.18
php php 5.5.0
php php 5.6.3
php php 5.6.11
php php 5.5.22
php php 5.5.8
php php 7.0.3
php php *
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.1
php php 5.5.3
php php 5.5.16
php php 5.6.10
php php 5.5.15
php php 5.5.7
php php 5.5.25
php php 5.6.7
php php 5.5.11
php php 5.6.1
php php 5.5.4
php php 5.5.9
php php 5.5.21
php php 5.5.2
php php 5.5.12
php php 5.5.14
php php 5.6.8
php php 5.6.5
php php 5.6.2
php php 5.6.6
php php 5.5.24
php php 7.0.1
php php 5.5.6
php php 5.5.10
php php 5.5.5
php php 5.5.17
php php 5.5.27
php php 5.5.26
php php 7.0.2
php php 7.0.0
CVE-2016-4070 MEDIUM

Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says "Not sure if this qualifies as security issue (probably not).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.14
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
php php 7.0.0
CVE-2016-4071 HIGH

Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.5.19
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.3
php php 5.5.16
php php 5.6.10
php php 5.5.25
php php 5.6.14
php php 5.5.29
php php 5.5.11
php php 5.6.1
php php 5.6.13
php php 5.5.30
php php 5.5.4
php php 5.5.2
php php 5.5.14
php php 5.6.12
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 5.5.24
php php 7.0.1
php php 5.5.6
php php 5.6.16
php php 5.5.5
php php 5.5.17
php php 5.5.33
php php 5.5.27
php php 7.0.0
apple mac_os_x *
php php 5.6.4
php php 5.5.18
php php 5.5.0
php php 5.5.22
php php 7.0.4
php php 5.5.8
php php 7.0.3
php php 5.5.32
php php 5.5.1
php php 5.6.15
php php 5.5.15
php php 5.5.7
php php 5.5.31
php php 5.6.7
php php 5.5.9
php php 5.5.21
php php 5.6.18
php php 5.5.12
php php 5.6.8
php php 5.6.5
php php 5.5.10
php php 5.5.26
php php 7.0.2
CVE-2016-4072 HIGH

The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the phar_analyze_path function in ext/phar/phar.c.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.5.19
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.3
php php 5.5.16
php php 5.6.10
php php 5.5.25
php php 5.6.14
php php 5.5.29
php php 5.5.11
php php 5.6.1
php php 5.6.13
php php 5.5.30
php php 5.5.4
php php 5.5.2
php php 5.5.14
php php 5.6.12
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 5.5.24
php php 7.0.1
php php 5.5.6
php php 5.6.16
php php 5.5.5
php php 5.5.17
php php 5.5.33
php php 5.5.27
php php 7.0.0
apple mac_os_x *
php php 5.6.4
php php 5.5.18
php php 5.5.0
php php 5.5.22
php php 7.0.4
php php 5.5.8
php php 7.0.3
php php 5.5.32
php php 5.5.1
php php 5.6.15
php php 5.5.15
php php 5.5.7
php php 5.5.31
php php 5.6.7
php php 5.5.9
php php 5.5.21
php php 5.6.18
php php 5.5.12
php php 5.6.8
php php 5.6.5
php php 5.5.10
php php 5.5.26
php php 7.0.2
CVE-2016-4073 HIGH

Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.5.23
php php 5.5.19
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.5.13
php php 5.5.20
php php 5.6.9
php php 5.5.3
php php 5.6.10
php php 5.5.25
php php 5.6.14
php php 5.5.29
php php 5.5.11
php php 5.6.1
php php 5.6.13
php php 5.5.30
php php 5.5.4
php php 5.5.2
php php 5.5.14
php php 5.6.12
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 5.5.24
php php 7.0.1
php php 5.5.6
php php 5.6.16
php php 5.5.5
php php 5.5.33
php php 5.5.27
php php 7.0.0
apple mac_os_x *
php php 5.6.4
php php 5.5.18
php php 5.5.0
php php 5.5.22
php php 7.0.4
php php 5.5.8
php php 7.0.3
php php 5.5.32
php php 5.5.1
php php 5.6.15
php php 5.5.7
php php 5.6.7
php php 5.5.9
php php 5.5.21
php php 5.6.18
php php 5.5.12
php php 5.6.8
php php 5.6.5
php php 5.5.10
php php 5.5.26
php php 7.0.2
CVE-2016-4342 HIGH

ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 mishandles zero-length uncompressed data, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) TAR, (2) ZIP, or (3) PHAR archive.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.6.1
php php 5.6.13
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.8
php php 5.6.12
opensuse leap 42.1
php php 5.6.5
php php 5.6.2
php php *
php php 5.6.6
php php 5.6.17
php php 5.6.9
php php 7.0.1
php php 5.6.10
php php 5.6.15
php php 5.6.16
php php 5.6.14
php php 7.0.2
php php 5.6.7
php php 7.0.0
CVE-2016-4343 MEDIUM

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-824,

Products Affected

Vendor Product Version
php php *
opensuse opensuse 13.2
CVE-2016-4344 HIGH

Integer overflow in the xml_utf8_encode function in ext/xml/xml.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long argument to the utf8_encode function, leading to a heap-based buffer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php *
CVE-2016-4345 HIGH

Integer overflow in the php_filter_encode_url function in ext/filter/sanitizing_filters.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long string, leading to a heap-based buffer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php *
CVE-2016-4346 HIGH

Integer overflow in the str_pad function in ext/standard/string.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long string, leading to a heap-based buffer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php *
opensuse opensuse 13.2
opensuse leap 42.1
CVE-2016-4473 HIGH

/ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.7
php php 5.6.9
suse linux_enterprise_module_for_web_scripting 12
php php 5.6.10
php php 5.6.15
php php 5.6.14
php php 5.6.22
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
suse linux_enterprise_software_development_kit 12
php php 5.6.6
php php 5.6.17
php php 5.6.16
php php 5.6.21
CVE-2016-4537 HIGH

The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.14
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
opensuse leap 42.1
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
fedoraproject fedora 24
php php 7.0.0
CVE-2016-4538 HIGH

The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 modifies certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variable, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.14
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
opensuse leap 42.1
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
fedoraproject fedora 24
php php 7.0.0
CVE-2016-4539 HIGH

The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.14
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
opensuse leap 42.1
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
fedoraproject fedora 24
php php 7.0.0
CVE-2016-4540 HIGH

The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.14
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
opensuse leap 42.1
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
fedoraproject fedora 24
php php 7.0.0
CVE-2016-4541 HIGH

The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.14
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
opensuse leap 42.1
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
fedoraproject fedora 24
php php 7.0.0
CVE-2016-4542 HIGH

The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not properly construct spprintf arguments, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.14
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
opensuse leap 42.1
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
fedoraproject fedora 24
php php 7.0.0
CVE-2016-4543 HIGH

The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.14
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
opensuse leap 42.1
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
hp system_management_homepage *
php php 7.0.2
fedoraproject fedora 24
php php 7.0.0
CVE-2016-4544 HIGH

The exif_process_TIFF_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate TIFF start data, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php *
debian debian_linux 8.0
opensuse opensuse 13.2
opensuse leap 42.1
fedoraproject fedora 24
CVE-2016-5093 HIGH

The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a '\0' character, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted locale_get_primary_language call.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 7.0.6
php php 5.6.14
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
php php 7.0.0
php php 5.6.21
CVE-2016-5094 HIGH

Integer overflow in the php_html_entities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from the htmlspecialchars function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php 5.6.1
php php 5.6.13
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.18
php php 5.6.11
php php 5.6.20
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php *
php php 5.6.6
php php 5.6.17
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.16
php php 5.6.14
php php 5.6.7
php php 5.6.21
CVE-2016-5095 HIGH

Integer overflow in the php_escape_html_entities_ex function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from a FILTER_SANITIZE_FULL_SPECIAL_CHARS filter_var call. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-5094.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php 5.6.1
php php 5.6.13
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.18
php php 5.6.11
php php 5.6.20
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php *
php php 5.6.6
php php 5.6.17
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.16
php php 5.6.14
php php 5.6.7
php php 5.6.21
CVE-2016-5096 HIGH

Integer overflow in the fread function in ext/standard/file.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer in the second argument.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php 5.6.1
php php 5.6.13
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.18
php php 5.6.11
php php 5.6.20
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php *
php php 5.6.6
php php 5.6.17
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.16
php php 5.6.14
php php 5.6.7
php php 5.6.21
CVE-2016-5114 MEDIUM

sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as demonstrated by a long URI in a configuration with custom REQUEST_URI logging.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-125,

Products Affected

Vendor Product Version
php php 5.6.1
php php 5.6.13
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php *
php php 5.6.6
php php 5.6.9
php php 7.0.1
php php 5.6.10
php php 5.6.15
php php 5.6.16
php php 5.6.14
php php 5.6.7
php php 7.0.0
CVE-2016-5385 MEDIUM

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
oracle enterprise_manager_ops_center 12.3.2
oracle enterprise_manager_ops_center 12.2.2
debian debian_linux 8.0
drupal drupal *
oracle linux 6
oracle linux 7
redhat enterprise_linux_workstation 6.0
opensuse leap 42.1
hp storeever_msl6480_tape_library_firmware *
php php *
redhat enterprise_linux_desktop 6.0
oracle communications_user_data_repository 12.0.0
oracle communications_user_data_repository 10.0.0
hp system_management_homepage *
redhat enterprise_linux_server 6.0
fedoraproject fedora 23
oracle communications_user_data_repository 10.0.1
fedoraproject fedora 24
CVE-2016-5399 MEDIUM

The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
php php *
CVE-2016-5768 HIGH

Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by leveraging a callback exception.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.7
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 7.0.6
php php 5.6.14
php php 5.6.22
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
php php 7.0.0
php php 5.6.21
CVE-2016-5769 HIGH

Multiple integer overflows in mcrypt.c in the mcrypt extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted length value, related to the (1) mcrypt_generic and (2) mdecrypt_generic functions.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.7
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 7.0.6
php php 5.6.14
php php 5.6.22
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
php php 7.0.0
php php 5.6.21
CVE-2016-5770 HIGH

Integer overflow in the SplFileObject::fread function in spl_directory.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer argument, a related issue to CVE-2016-5096.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php *
debian debian_linux 8.0
opensuse opensuse 13.2
opensuse leap 42.1
CVE-2016-5771 HIGH

spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php *
debian debian_linux 8.0
opensuse opensuse 13.2
opensuse leap 42.1
CVE-2016-5772 HIGH

Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted XML data that is mishandled in a wddx_deserialize call.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,

Products Affected

Vendor Product Version
php php *
suse linux_enterprise_server 11
debian debian_linux 8.0
suse linux_enterprise_software_development_kit 11
opensuse opensuse 13.2
suse linux_enterprise_debuginfo 11
opensuse leap 42.1
CVE-2016-5773 HIGH

php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.7
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.23
php php 7.0.6
php php 5.6.14
php php 5.6.22
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
php php 7.0.0
php php 5.6.21
CVE-2016-5873 HIGH

Buffer overflow in the HTTP URL parsing functions in pecl_http before 3.0.1 might allow remote attackers to execute arbitrary code via non-printable characters in a URL.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php pecl_http *
CVE-2016-6174 MEDIUM

applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the content_class parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
php php *
php php 5.5.4
php php 5.5.6
php php 5.5.0
php php 5.5.1
php php 5.5.3
php php 5.5.5
php php 5.5.7
php php 5.5.2
invisioncommunity invision_power_board *
CVE-2016-6207 MEDIUM

Integer overflow in the _gdContributionsAlloc function in gd_interpolation.c in GD Graphics Library (aka libgd) before 2.2.3 allows remote attackers to cause a denial of service (out-of-bounds memory write or memory consumption) via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-190,CWE-787,

Products Affected

Vendor Product Version
php php *
libgd libgd *
debian debian_linux 8.0
opensuse leap 42.1
CVE-2016-6288 HIGH

The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php *
CVE-2016-6289 MEDIUM

Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.23
php php 7.0.8
php php 5.6.14
php php 5.6.22
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
php php 7.0.0
php php 5.6.21
CVE-2016-6290 HIGH

ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors related to session deserialization.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.23
php php 7.0.8
php php 5.6.14
php php 5.6.22
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
php php 7.0.0
php php 5.6.21
CVE-2016-6291 HIGH

The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.23
php php 7.0.8
php php 5.6.14
php php 5.6.22
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
php php 7.0.0
php php 5.6.21
CVE-2016-6292 MEDIUM

The exif_process_user_comment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.23
php php 7.0.8
php php 5.6.14
php php 5.6.22
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
php php 7.0.0
php php 5.6.21
CVE-2016-6294 HIGH

The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.23
php php 7.0.8
php php 5.6.14
php php 5.6.22
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
php php 7.0.0
php php 5.6.21
CVE-2016-6295 HIGH

ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact via crafted serialized data, a related issue to CVE-2016-5773.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.23
php php 7.0.8
php php 5.6.14
php php 5.6.22
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
php php 7.0.0
php php 5.6.21
CVE-2016-6296 HIGH

Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.23
php php 7.0.8
php php 5.6.14
php php 5.6.22
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
php php 7.0.0
php php 5.6.21
CVE-2016-6297 MEDIUM

Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 5.6.4
php php 5.6.0
php php 5.6.3
php php 5.6.11
php php 5.6.20
php php 7.0.4
php php 7.0.7
php php 7.0.3
php php *
php php 5.6.9
php php 5.6.10
php php 5.6.15
php php 5.6.23
php php 7.0.8
php php 7.0.6
php php 5.6.14
php php 5.6.22
php php 5.6.7
php php 5.6.1
php php 5.6.13
php php 5.6.18
php php 7.0.5
php php 5.6.8
php php 5.6.12
php php 5.6.5
php php 5.6.2
php php 5.6.19
php php 5.6.6
php php 5.6.17
php php 7.0.1
php php 5.6.16
php php 7.0.2
php php 7.0.0
php php 5.6.21
CVE-2016-7124 HIGH

ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
php php *
php php 7.0.9
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.2
php php 7.0.3
php php 7.0.0
CVE-2016-7125 MEDIUM

ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by object injection.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
php php *
php php 7.0.9
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.2
php php 7.0.3
php php 7.0.0
CVE-2016-7126 HIGH

The imagetruecolortopalette function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate the number of colors, which allows remote attackers to cause a denial of service (select_colors allocation error and out-of-bounds write) or possibly have unspecified other impact via a large value in the third argument.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
php php *
php php 7.0.9
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.2
php php 7.0.3
php php 7.0.0
CVE-2016-7127 HIGH

The imagegammacorrect function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly validate gamma values, which allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by providing different signs for the second and third arguments.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
php php *
php php 7.0.9
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.2
php php 7.0.3
php php 7.0.0
CVE-2016-7128 MEDIUM

The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset that exceeds the file size, which allows remote attackers to obtain sensitive information from process memory via a crafted TIFF image.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php *
php php 7.0.9
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.2
php php 7.0.3
php php 7.0.0
CVE-2016-7129 HIGH

The php_wddx_process_data function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via an invalid ISO 8601 time value, as demonstrated by a wddx_deserialize call that mishandles a dateTime element in a wddxPacket XML document.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php *
php php 7.0.9
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.2
php php 7.0.3
php php 7.0.0
CVE-2016-7130 MEDIUM

The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid base64 binary value, as demonstrated by a wddx_deserialize call that mishandles a binary element in a wddxPacket XML document.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
php php *
php php 7.0.9
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.2
php php 7.0.3
php php 7.0.0
CVE-2016-7131 MEDIUM

ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via a malformed wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a tag that lacks a < (less than) character.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
php php *
php php 7.0.9
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.2
php php 7.0.3
php php 7.0.0
CVE-2016-7132 MEDIUM

ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a stray element inside a boolean element, leading to incorrect pop processing.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
php php *
php php 7.0.9
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.2
php php 7.0.3
php php 7.0.0
CVE-2016-7133 MEDIUM

Zend/zend_alloc.c in PHP 7.x before 7.0.10, when open_basedir is enabled, mishandles huge realloc operations, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a long pathname.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php 7.0.9
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.2
php php 7.0.3
php php 7.0.0
CVE-2016-7134 HIGH

ext/curl/interface.c in PHP 7.x before 7.0.10 does not work around a libcurl integer overflow, which allows remote attackers to cause a denial of service (allocation error and heap-based buffer overflow) or possibly have unspecified other impact via a long string that is mishandled in a curl_escape call.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 7.0.9
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.2
php php 7.0.3
php php 7.0.0
CVE-2016-7398 HIGH

A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-704,

Products Affected

Vendor Product Version
php ext-http 2.6.0
php ext-http 3.1.0
php ext-http *
CVE-2016-7411 HIGH

ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php *
CVE-2016-7412 MEDIUM

ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.9
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php *
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-7413 HIGH

Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.9
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php *
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-7414 HIGH

The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.9
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php *
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-7416 MEDIUM

ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a MessageFormatter::formatMessage call with a long first argument.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.9
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php *
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-7417 HIGH

ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.9
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php *
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-7418 MEDIUM

The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.9
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php *
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-7478 MEDIUM

Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php php 5.4.38
php php 5.4.43
php php 5.5.19
php php 5.2.14
php php 5.6.11
php php 7.0.11
php php 5.3.12
php php 5.4.26
php php 5.3.28
php php 5.4.5
php php 5.3.2
php php 5.1.0
php php 5.4.0
php php 5.2.13
php php 5.6.10
php php 7.0.6
php php 5.2.16
php php 5.3.23
php php 5.6.14
php php 5.4.45
php php 5.5.36
php php 5.5.11
php php 5.6.13
php php 7.0.10
php php 5.5.30
php php 5.0.3
php php 5.3.21
php php 5.2.10
php php 5.5.14
php php 7.0.5
php php 5.6.12
php php 5.0.1
php php 5.6.19
php php 5.3.17
php php 5.6.17
php php 5.3.20
php php 7.0.1
php php 5.2.15
php php 5.4.39
php php 5.4.2
php php 5.2.6
php php 7.0.0
php php 5.5.35
php php 5.0.0
php php 5.5.0
php php 5.3.15
php php 5.3.0
php php 5.4.37
php php 5.2.2
php php 5.4.34
php php 5.6.20
php php 5.3.7
php php 7.0.4
php php 7.0.7
php php 5.3.11
php php 5.4.25
php php 5.2.8
php php 5.2.12
php php 5.4.6
php php 5.1.5
php php 5.2.11
php php 5.6.27
php php 5.3.8
php php 5.5.1
php php 5.0.2
php php 5.6.23
php php 5.4.28
php php 5.6.26
php php 5.3.9
php php 5.2.7
php php 5.5.31
php php 5.2.5
php php 5.5.28
php php 5.4.8
php php 5.4.17
php php 5.5.9
php php 5.5.21
php php 5.6.18
php php 5.3.10
php php 5.5.12
php php 5.3.5
php php 5.4.14
php php 5.4.22
php php 5.6.25
php php 5.4.9
php php 5.1.3
php php 5.3.24
php php 5.3.19
php php 5.4.20
php php 5.4.21
php php 5.4.30
php php 5.0.5
php php 5.2.0
php php 5.5.37
php php 5.4.1
php php 5.3.1
php php 7.0.2
php php 5.4.4
php php 5.4.7
php php 5.3.26
php php 5.5.23
php php 7.0.9
php php 5.6.0
php php 5.4.13
php php 5.3.25
php php 5.4.16
php php 5.3.16
php php 5.5.13
php php 5.5.20
php php 5.2.3
php php 5.4.19
php php 5.5.3
php php 5.6.24
php php 5.1.4
php php 5.1.2
php php 5.5.25
php php 5.5.29
php php 5.6.1
php php 5.4.3
php php 5.4.44
php php 5.4.41
php php 5.5.4
php php 5.4.18
php php 5.5.2
php php 5.6.2
php php 5.2.4
php php 5.4.12
php php 5.5.24
php php 5.2.9
php php 5.5.6
php php 5.6.16
php php 7.0.12
php php 5.1.1
php php 5.5.5
php php 5.5.33
php php 5.5.27
php php 5.3.6
php php 5.5.18
php php 5.3.4
php php 5.5.22
php php 5.4.15
php php 5.5.8
php php 5.3.13
php php 5.5.34
php php 7.0.3
php php 5.5.32
php php 5.4.11
php php 5.4.23
php php 5.6.15
php php 5.5.7
php php 7.0.8
php php 5.6.22
php php 5.1.6
php php 5.2.1
php php 5.3.18
php php 5.3.27
php php 5.4.27
php php 5.3.22
php php 5.3.3
php php 5.4.10
php php 5.4.29
php php 5.4.35
php php 5.0.4
php php 5.3.14
php php 5.5.10
php php 5.4.24
php php 5.2.17
php php 5.4.42
php php 5.5.26
php php 5.6.21
CVE-2016-7479 HIGH

In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.14
php php 7.0.9
php php 7.0.11
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php 7.0.1
php php 7.1.0
php php 7.0.12
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-7480 HIGH

The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php *
netapp clustered_data_ontap -
CVE-2016-7568 HIGH

Integer overflow in the gdImageWebpCtx function in gd_webp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP through 7.0.11, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted imagewebp and imagedestroy calls.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php *
libgd libgd *
debian debian_linux 8.0
CVE-2016-9137 HIGH

Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.9
php php 7.0.11
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php *
php php 7.0.1
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-9138 HIGH

PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.9
php php 7.0.11
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php *
php php 7.0.1
php php 7.0.12
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-9934 MEDIUM

ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.9
php php 7.0.11
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php *
php php 7.0.1
php php 7.0.12
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-9935 HIGH

The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.9
php php 7.0.13
php php 7.0.11
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php *
php php 7.0.1
php php 7.0.12
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2016-9936 HIGH

The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.9
php php 7.0.13
php php 7.0.11
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php 7.0.1
php php 7.0.12
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.0.0
CVE-2017-11142 HIGH

In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,

Products Affected

Vendor Product Version
php php 7.0.10
php php 7.0.14
php php 7.0.15
php php 7.0.9
php php 7.0.13
php php 7.0.11
php php 7.1.2
php php 7.0.4
php php 7.0.5
php php 7.0.7
php php 7.0.3
php php *
php php 7.0.1
php php 7.1.0
php php 7.0.12
php php 7.0.16
php php 7.0.8
php php 7.0.6
php php 7.0.2
php php 7.1.1
php php 7.0.0
CVE-2017-11143 MEDIUM

In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-502,

Products Affected

Vendor Product Version
php php *
CVE-2017-11144 MEDIUM

In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-754,

Products Affected

Vendor Product Version
php php 7.0.14
php php 7.0.15
php php 7.0.9
php php 7.0.11
php php 7.0.18
php php 7.1.2
php php 7.0.4
php php 7.0.7
php php 7.0.3
php php *
php php 7.1.0
php php 7.0.17
php php 7.0.16
php php 7.0.8
php php 7.0.6
php php 7.1.5
php php 7.0.10
php php 7.0.13
php php 7.1.6
php php 7.0.5
php php 7.0.19
php php 7.0.1
php php 7.1.3
php php 7.0.12
php php 7.1.4
php php 7.0.20
php php 7.0.2
php php 7.1.1
php php 7.0.0
CVE-2017-11145 MEDIUM

In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: the correct fix is in the e8b7698f5ee757ce2c8bd10a192a491a498f891c commit, not the bd77ac90d3bdf31ce2a5251ad92e9e75 gist.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 7.0.14
php php 7.0.15
php php 7.0.9
php php 7.0.11
php php 7.0.18
php php 7.1.2
php php 7.0.4
php php 7.0.7
php php 7.0.3
php php *
php php 7.1.0
php php 7.0.17
php php 7.0.16
php php 7.0.8
php php 7.0.6
php php 7.1.5
php php 7.0.10
php php 7.0.13
php php 7.1.6
php php 7.0.5
php php 7.0.19
php php 7.0.1
php php 7.1.3
php php 7.0.12
php php 7.1.4
php php 7.0.20
php php 7.0.2
php php 7.1.1
php php 7.0.0
CVE-2017-11147 MEDIUM

In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php *
netapp clustered_data_ontap -
CVE-2017-11362 HIGH

In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/msgformat_parse.c does not restrict the locale length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact within International Components for Unicode (ICU) for C/C++ via a long first argument to the msgfmt_parse_message function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 7.0.14
php php 7.0.15
php php 7.0.9
php php 7.0.11
php php 7.0.18
php php 7.1.2
php php 7.0.4
php php 7.0.7
php php 7.0.3
php php 7.1.0
php php 7.0.17
php php 7.0.16
php php 7.0.8
php php 7.0.6
php php 7.1.5
php php 7.0.10
php php 7.0.13
php php 7.1.6
php php 7.0.5
php php 7.0.19
php php 7.0.1
php php 7.1.3
php php 7.0.12
php php 7.1.4
php php 7.0.20
php php 7.0.2
php php 7.1.1
php php 7.0.0
CVE-2017-11628 MEDIUM

In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of service or potentially allow executing code. NOTE: this is only relevant for PHP applications that accept untrusted input (instead of the system's php.ini file) for the parse_ini_string or parse_ini_file function, e.g., a web application for syntax validation of php.ini directives.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php 7.0.14
php php 7.0.15
php php 7.0.9
php php 7.0.11
php php 7.0.18
php php 7.1.2
php php 7.0.4
php php 7.0.7
php php 7.0.3
php php *
php php 7.1.0
php php 7.0.17
php php 7.0.16
php php 7.0.8
php php 7.0.6
php php 7.1.5
php php 7.0.10
php php 7.0.13
php php 7.1.6
php php 7.0.5
php php 7.0.19
php php 7.0.1
php php 7.1.3
php php 7.0.12
php php 7.1.4
php php 7.0.20
php php 7.0.2
php php 7.1.1
php php 7.0.0
CVE-2017-12932 HIGH

ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x through 7.1.8 is prone to a heap use after free while unserializing untrusted data, related to improper use of the hash API for key deletion in a situation with an invalid array size. Exploitation of this issue can have an unspecified impact on the integrity of PHP.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php 7.0.14
php php 7.0.22
php php 7.0.15
php php 7.0.9
php php 7.0.11
php php 7.0.18
php php 7.1.2
php php 7.0.4
php php 7.0.7
php php 7.0.21
php php 7.0.3
php php 7.1.8
php php 7.1.0
php php 7.0.17
php php 7.0.16
php php 7.0.8
php php 7.0.6
php php 7.1.5
php php 7.0.10
php php 7.0.13
php php 7.1.6
php php 7.0.5
php php 7.1.7
php php 7.0.19
php php 7.0.1
php php 7.1.3
php php 7.0.12
php php 7.1.4
php php 7.0.20
php php 7.0.2
php php 7.1.1
php php 7.0.0
CVE-2017-12933 HIGH

The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php 7.0.14
php php 7.0.15
php php 7.0.9
php php 7.0.11
php php 7.0.18
php php 7.1.2
php php 7.0.4
php php 7.0.7
php php 7.0.3
php php *
php php 7.1.0
php php 7.0.17
php php 7.0.16
php php 7.0.8
php php 7.0.6
php php 7.1.5
php php 7.0.10
php php 7.0.13
php php 7.1.6
php php 7.0.5
php php 7.0.19
php php 7.0.1
php php 7.1.3
php php 7.0.12
php php 7.1.4
php php 7.0.20
php php 7.0.2
php php 7.1.1
php php 7.0.0
CVE-2017-12934 MEDIUM

ext/standard/var_unserializer.re in PHP 7.0.x before 7.0.21 and 7.1.x before 7.1.7 is prone to a heap use after free while unserializing untrusted data, related to the zval_get_type function in Zend/zend_types.h. Exploitation of this issue can have an unspecified impact on the integrity of PHP.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php 7.0.14
php php 7.0.15
php php 7.0.9
php php 7.0.11
php php 7.0.18
php php 7.1.2
php php 7.0.4
php php 7.0.7
php php 7.0.3
php php 7.1.0
php php 7.0.17
php php 7.0.16
php php 7.0.8
php php 7.0.6
php php 7.1.5
php php 7.0.10
php php 7.0.13
php php 7.1.6
php php 7.0.5
php php 7.0.19
php php 7.0.1
php php 7.1.3
php php 7.0.12
php php 7.1.4
php php 7.0.20
php php 7.0.2
php php 7.1.1
php php 7.0.0
CVE-2017-16642 MEDIUM

In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php *
netapp clustered_data_ontap -
canonical ubuntu_linux 14.04
debian debian_linux 8.0
netapp storage_automation_store -
debian debian_linux 9.0
CVE-2017-5340 HIGH

Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php *
netapp clustered_data_ontap -
CVE-2017-5630 MEDIUM

PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
php pear 1.10.1
CVE-2017-6441 MEDIUM

The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of "declare(ticks=" in a PHP script. NOTE: the vendor disputes the classification of this as a vulnerability, stating "Please do not request CVEs for ordinary bugs. CVEs are relevant for security issues only.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
php php 7.1.2
CVE-2017-7189 MEDIUM

main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
php php *
CVE-2017-7272 MEDIUM

PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
php php *
CVE-2017-7890 MEDIUM

The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php 7.0.14
php php 7.0.15
php php 7.0.9
php php 7.0.11
php php 7.0.18
php php 7.1.2
php php 7.0.4
php php 7.0.7
php php 7.0.3
php php *
php php 7.1.0
php php 7.0.17
php php 7.0.16
php php 7.0.8
php php 7.0.6
php php 7.1.5
php php 7.0.10
php php 7.0.13
php php 7.1.6
php php 7.0.5
php php 7.0.19
php php 7.0.1
php php 7.1.3
php php 7.0.12
php php 7.1.4
php php 7.0.20
php php 7.0.2
php php 7.1.1
php php 7.0.0
CVE-2017-7963 MEDIUM

The GNU Multiple Precision Arithmetic Library (GMP) interfaces for PHP through 7.1.4 allow attackers to cause a denial of service (memory consumption and application crash) via operations on long strings. NOTE: the vendor disputes this, stating "There is no security issue here, because GMP safely aborts in case of an OOM condition. The only attack vector here is denial of service. However, if you allow attacker-controlled, unbounded allocations you have a DoS vector regardless of GMP's OOM behavior.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
php php *
CVE-2017-8923 HIGH

The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
php php *
CVE-2017-9067 MEDIUM

In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory traversal.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
modx modx_revolution 2.5.6
php php 5.3.3
CVE-2017-9118 MEDIUM

PHP 7.1.5 has an Out of bounds access in php_pcre_replace_impl via a crafted preg_replace call.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php *
netapp storage_automation_store -
php php 7.1.5
CVE-2017-9119 HIGH

The i_zval_ptr_dtor function in Zend/zend_variables.h in PHP 7.1.5 allows attackers to cause a denial of service (memory consumption and application crash) or possibly have unspecified other impact by triggering crafted operations on array data structures.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,

Products Affected

Vendor Product Version
netapp clustered_data_ontap -
netapp storage_automation_store -
php php 7.1.5
CVE-2017-9120 HIGH

PHP 7.x through 7.1.5 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a long string because of an Integer overflow in mysqli_real_escape_string.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
php php *
netapp storage_automation_store -
CVE-2017-9224 HIGH

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php *
oniguruma_project oniguruma 6.2.0
CVE-2017-9225 HIGH

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str() occurs during regular expression compilation. Code point 0xFFFFFFFF is not properly handled in unicode_unfold_key(). A malformed regular expression could result in 4 bytes being written off the end of a stack buffer of expand_case_fold_string() during the call to onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer overflow.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
php php *
ruby-lang ruby *
oniguruma_project oniguruma 6.2.0
CVE-2017-9226 HIGH

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of '\700' would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
php php *
oniguruma_project oniguruma 6.2.0
CVE-2017-9227 HIGH

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php *
oniguruma_project oniguruma 6.2.0
CVE-2017-9228 HIGH

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
php php *
oniguruma_project oniguruma 6.2.0
CVE-2017-9229 MEDIUM

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
php php *
ruby-lang ruby *
oniguruma_project oniguruma 6.2.0
CVE-2018-1000888 MEDIUM

PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
debian debian_linux 8.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.10
php pear_archive_tar *
debian debian_linux 9.0
canonical ubuntu_linux 18.04
CVE-2018-10545 LOW

An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 16.04
netapp storage_automation_store -
canonical ubuntu_linux 17.10
debian debian_linux 9.0
canonical ubuntu_linux 18.04
CVE-2018-10546 MEDIUM

An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-835,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 16.04
netapp storage_automation_store -
canonical ubuntu_linux 17.10
debian debian_linux 9.0
canonical ubuntu_linux 18.04
CVE-2018-10547 MEDIUM

An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 16.04
netapp storage_automation_store -
canonical ubuntu_linux 17.10
debian debian_linux 9.0
canonical ubuntu_linux 18.04
CVE-2018-10548 MEDIUM

An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 16.04
netapp storage_automation_store -
canonical ubuntu_linux 17.10
debian debian_linux 9.0
canonical ubuntu_linux 18.04
CVE-2018-10549 MEDIUM

An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final '\0' character.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php *
debian debian_linux 8.0
canonical ubuntu_linux 16.04
netapp storage_automation_store -
canonical ubuntu_linux 17.10
debian debian_linux 9.0
canonical ubuntu_linux 18.04
CVE-2018-12882 HIGH

exif_read_from_impl in ext/exif/exif.c in PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file) because it closes a stream that it is not responsible for closing. The vulnerable code is reachable through the PHP exif_read_data function.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php *
netapp storage_automation_store -
canonical ubuntu_linux 18.04
CVE-2018-14851 MEDIUM

exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 16.04
netapp storage_automation_store -
debian debian_linux 9.0
canonical ubuntu_linux 18.04
CVE-2018-14883 MEDIUM

An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-190,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 16.04
netapp storage_automation_store -
debian debian_linux 9.0
canonical ubuntu_linux 18.04
CVE-2018-14884 MEDIUM

An issue was discovered in PHP 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. Inappropriately parsing an HTTP response leads to a segmentation fault because http_header_value in ext/standard/http_fopen_wrapper.c can be a NULL value that is mishandled in an atoi call.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
php php *
netapp storage_automation_store -
CVE-2018-15132 MEDIUM

An issue was discovered in ext/standard/link_win32.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. The linkinfo function on Windows doesn't implement the open_basedir check. This could be abused to find files on paths outside of the allowed directories.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
php php *
netapp storage_automation_store -
CVE-2018-17082 MEDIUM

The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
php php *
debian debian_linux 8.0
netapp storage_automation_store -
debian debian_linux 9.0
CVE-2018-19395 MEDIUM

ext/standard/var.c in PHP 5.x through 7.1.24 on Windows allows attackers to cause a denial of service (NULL pointer dereference and application crash) because com and com_safearray_proxy return NULL in com_properties_get in ext/com_dotnet/com_handlers.c, as demonstrated by a serialize call on COM("WScript.Shell").

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
php php *
CVE-2018-19396 MEDIUM

ext/standard/var_unserializer.c in PHP 5.x through 7.1.24 allows attackers to cause a denial of service (application crash) via an unserialize call for the com, dotnet, or variant class.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
php php *
CVE-2018-19518 HIGH

University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-88,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 19.04
debian debian_linux 8.0
canonical ubuntu_linux 16.04
uw-imap_project uw-imap 2007f
debian debian_linux 9.0
canonical ubuntu_linux 18.04
CVE-2018-19520 MEDIUM

An issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controller/themecontroller.php uses a check_bad function in an attempt to block certain PHP functions such as eval, but does not prevent use of preg_replace 'e' calls, allowing users to execute arbitrary code by leveraging access to admin template management.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
php php *
sdcms sdcms 1.6
CVE-2018-19935 MEDIUM

ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
php php *
debian debian_linux 8.0
debian debian_linux 9.0
CVE-2018-20783 MEDIUM

In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse a .phar file. This is related to phar_parse_pharfile in ext/phar/phar.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php *
opensuse leap 42.3
CVE-2018-5711 MEDIUM

gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-681,CWE-835,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 16.04
php php 7.2.0
canonical ubuntu_linux 18.04
CVE-2018-5712 MEDIUM

An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
php php 7.2.0
canonical ubuntu_linux 17.10
CVE-2018-7584 HIGH

In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php *
debian debian_linux 7.0
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 17.10
debian debian_linux 9.0
CVE-2019-11034 MEDIUM

When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
opensuse leap 15.0
debian debian_linux 8.0
canonical ubuntu_linux 18.10
netapp storage_automation_store -
redhat software_collections 1.0
debian debian_linux 9.0
canonical ubuntu_linux 18.04
php php *
opensuse leap 15.1
canonical ubuntu_linux 19.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
opensuse leap 42.3
CVE-2019-11035 MEDIUM

When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
opensuse leap 15.0
debian debian_linux 8.0
canonical ubuntu_linux 18.10
netapp storage_automation_store -
redhat software_collections 1.0
debian debian_linux 9.0
canonical ubuntu_linux 18.04
php php *
opensuse leap 15.1
canonical ubuntu_linux 19.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
opensuse leap 42.3
CVE-2019-11036 MEDIUM

When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and 7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-126,CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
opensuse leap 15.0
fedoraproject fedora 30
debian debian_linux 8.0
canonical ubuntu_linux 18.10
fedoraproject fedora 28
redhat software_collections 1.0
debian debian_linux 9.0
canonical ubuntu_linux 18.04
php php *
opensuse leap 15.1
canonical ubuntu_linux 19.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
debian debian_linux 10.0
opensuse leap 42.3
fedoraproject fedora 29
CVE-2019-11037 HIGH

In PHP imagick extension in versions between 3.3.0 and 3.4.4, writing to an array of values in ImagickKernel::fromMatrix() function did not check that the address will be within the allocated array. This could lead to out of bounds write to memory if the function is called with the data controlled by untrusted party.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
php imagick *
CVE-2019-11038 MEDIUM

When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-457,CWE-908,

Products Affected

Vendor Product Version
redhat enterprise_linux 7.0
fedoraproject fedora 30
debian debian_linux 8.0
redhat software_collections 1.0
debian debian_linux 9.0
fedoraproject fedora 32
canonical ubuntu_linux 18.04
libgd libgd 2.2.5
suse linux_enterprise_software_development_kit 12
php php *
opensuse leap 15.1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
redhat enterprise_linux 8.0
suse linux_enterprise_desktop 12
canonical ubuntu_linux 19.10
suse linux_enterprise_server 12
suse linux_enterprise_debuginfo 11
suse linux_enterprise_workstation_extension 12
fedoraproject fedora 29
CVE-2019-11039 MEDIUM

Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,CWE-190,

Products Affected

Vendor Product Version
php php *
opensuse leap 15.1
opensuse leap 15.0
debian debian_linux 10.0
redhat software_collections 1.0
debian debian_linux 9.0
CVE-2019-11040 MEDIUM

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
php php *
opensuse leap 15.1
opensuse leap 15.0
debian debian_linux 10.0
redhat software_collections 1.0
debian debian_linux 9.0
CVE-2019-11041 MEDIUM

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H 2.8 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
apple mac_os_x *
canonical ubuntu_linux 12.04
opensuse leap 15.0
debian debian_linux 8.0
redhat software_collections 1.0
debian debian_linux 9.0
canonical ubuntu_linux 18.04
php php *
canonical ubuntu_linux 19.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
debian debian_linux 10.0
tenable tenable.sc *
CVE-2019-11042 MEDIUM

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H 2.8 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
apple mac_os_x *
canonical ubuntu_linux 12.04
opensuse leap 15.0
debian debian_linux 8.0
redhat software_collections 1.0
debian debian_linux 9.0
canonical ubuntu_linux 18.04
php php *
canonical ubuntu_linux 19.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
debian debian_linux 10.0
tenable tenable.sc *
CVE-2019-11043 HIGH

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
security@php.net 8.7 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N 2.2 5.8

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_for_ibm_z_systems_eus 8.6_s390x
redhat enterprise_linux_server_tus 8.6
redhat enterprise_linux_for_power_little_endian 7.0_ppc64le
redhat enterprise_linux_eus 8.4
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_for_ibm_z_systems_eus 8.2_s390x
fedoraproject fedora 31
redhat enterprise_linux_for_scientific_computing 7.0
redhat enterprise_linux_server_tus 8.2
php php *
redhat enterprise_linux_for_arm_64_eus 8.8_aarch64
redhat enterprise_linux_for_ibm_z_systems 7.0_s390x
debian debian_linux 10.0
redhat enterprise_linux 8.0
redhat enterprise_linux_for_ibm_z_systems 6.0_s390x
redhat enterprise_linux_eus_compute_node 7.7
redhat enterprise_linux_for_power_little_endian 8.0_ppc64le
redhat enterprise_linux_server_tus 8.8
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_for_arm_64 8.0_aarch64
canonical ubuntu_linux 18.04
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_for_ibm_z_systems_eus 8.1_s390x
canonical ubuntu_linux 16.04
redhat enterprise_linux_for_ibm_z_systems_eus 8.8_s390x
redhat enterprise_linux_server 6.0
canonical ubuntu_linux 19.10
redhat enterprise_linux_for_power_big_endian_eus 7.7_ppc64
fedoraproject fedora 29
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_server_aus 7.7
redhat enterprise_linux_for_power_big_endian 7.0_ppc64
redhat enterprise_linux_for_ibm_z_systems_eus 7.7_s390x
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_aus 8.6
redhat enterprise_linux_server 7.0
redhat enterprise_linux_for_power_little_endian_eus 8.2_ppc64le
canonical ubuntu_linux 19.04
redhat enterprise_linux_for_arm_64_eus 8.2_aarch64
redhat enterprise_linux_for_ibm_z_systems 8.0_s390x
redhat enterprise_linux_for_arm_64_eus 8.4_aarch64
redhat enterprise_linux_for_power_little_endian_eus 8.1_ppc64le
tenable tenable.sc *
redhat enterprise_linux_for_arm_64_eus 8.6_aarch64
redhat enterprise_linux_eus 8.8
canonical ubuntu_linux 12.04
fedoraproject fedora 30
redhat enterprise_linux_for_ibm_z_systems_eus 8.4_s390x
redhat software_collections 1.0
debian debian_linux 9.0
redhat enterprise_linux_for_arm_64_eus 8.1_aarch64
redhat enterprise_linux_for_power_little_endian_eus 8.8_ppc64le
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_for_power_little_endian_eus 8.4_ppc64le
redhat enterprise_linux_for_power_big_endian 6.0_ppc64
redhat enterprise_linux_server_tus 7.7
redhat enterprise_linux_eus 8.6
redhat enterprise_linux_for_power_little_endian_eus 8.6_ppc64le
redhat enterprise_linux_for_power_little_endian_eus 7.7_ppc64le
canonical ubuntu_linux 14.04
redhat enterprise_linux_eus 7.7
redhat enterprise_linux_server_aus 8.4
redhat enterprise_linux_server_tus 8.4
CVE-2019-11044 MEDIUM

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-170,NVD-CWE-Other,

Products Affected

Vendor Product Version
php php *
fedoraproject fedora 30
php php 7.4.0
fedoraproject fedora 31
tenable securitycenter *
CVE-2019-11045 MEDIUM

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-170,CWE-74,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
fedoraproject fedora 30
debian debian_linux 8.0
debian debian_linux 9.0
fedoraproject fedora 31
canonical ubuntu_linux 18.04
php php *
opensuse leap 15.1
canonical ubuntu_linux 19.04
canonical ubuntu_linux 14.04
php php 7.4.0
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 19.10
tenable securitycenter *
CVE-2019-11046 MEDIUM

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
fedoraproject fedora 30
debian debian_linux 8.0
debian debian_linux 9.0
fedoraproject fedora 31
canonical ubuntu_linux 18.04
php php *
opensuse leap 15.1
canonical ubuntu_linux 19.04
canonical ubuntu_linux 14.04
php php 7.4.0
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 19.10
tenable securitycenter *
CVE-2019-11047 MEDIUM

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L 3.9 2.5
security@php.net 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
fedoraproject fedora 30
debian debian_linux 8.0
debian debian_linux 9.0
fedoraproject fedora 31
canonical ubuntu_linux 18.04
php php *
canonical ubuntu_linux 19.04
canonical ubuntu_linux 14.04
php php 7.4.0
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 19.10
CVE-2019-11048 MEDIUM

In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-400,CWE-190,

Products Affected

Vendor Product Version
php php *
CVE-2019-11049 HIGH

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-415,CWE-415,

Products Affected

Vendor Product Version
php php *
fedoraproject fedora 30
php php 7.4.0
debian debian_linux 10.0
fedoraproject fedora 31
tenable securitycenter *
CVE-2019-11050 MEDIUM

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
fedoraproject fedora 30
debian debian_linux 8.0
debian debian_linux 9.0
fedoraproject fedora 31
canonical ubuntu_linux 18.04
php php *
opensuse leap 15.1
canonical ubuntu_linux 19.04
canonical ubuntu_linux 14.04
php php 7.4.0
canonical ubuntu_linux 16.04
debian debian_linux 10.0
tenable securitycenter *
CVE-2019-13224 HIGH

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-416,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
fedoraproject fedora 30
debian debian_linux 8.0
oniguruma_project oniguruma 6.9.2
fedoraproject fedora 29
CVE-2019-19246 MEDIUM

Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 14.04
debian debian_linux 8.0
fedoraproject fedora 31
oniguruma_project oniguruma *
CVE-2019-6977 MEDIUM

gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 14.04
php php 7.3.0
debian debian_linux 8.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.10
debian debian_linux 9.0
canonical ubuntu_linux 18.04
libgd libgd 2.2.5
netapp storage_automation_store *
CVE-2019-9020 HIGH

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,CWE-416,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
netapp storage_automation_store -
debian debian_linux 9.0
opensuse leap 42.3
CVE-2019-9021 HIGH

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file name, a different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
netapp storage_automation_store -
debian debian_linux 9.0
opensuse leap 42.3
CVE-2019-9022 MEDIUM

An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parserr in ext/standard/dns.c for DNS_CAA and DNS_ANY queries.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 16.04
netapp storage_automation_store -
debian debian_linux 9.0
CVE-2019-9023 HIGH

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
netapp storage_automation_store -
debian debian_linux 9.0
opensuse leap 42.3
CVE-2019-9024 MEDIUM

An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
netapp storage_automation_store -
debian debian_linux 9.0
opensuse leap 42.3
CVE-2019-9025 HIGH

An issue was discovered in PHP 7.3.x before 7.3.1. An invalid multibyte string supplied as an argument to the mb_split() function in ext/mbstring/php_mbregex.c can cause PHP to execute memcpy() with a negative argument, which could read and write past buffers allocated for the data.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,CWE-787,

Products Affected

Vendor Product Version
php php *
netapp storage_automation_store -
CVE-2019-9637 MEDIUM

An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.10
netapp storage_automation_store -
debian debian_linux 9.0
opensuse leap 42.3
canonical ubuntu_linux 18.04
CVE-2019-9638 MEDIUM

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the maker_note->offset relationship to value_len.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
opensuse leap 15.0
debian debian_linux 8.0
canonical ubuntu_linux 18.10
netapp storage_automation_store -
redhat software_collections 1.0
debian debian_linux 9.0
canonical ubuntu_linux 18.04
php php *
opensuse leap 15.1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
opensuse leap 42.3
CVE-2019-9639 MEDIUM

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the data_len variable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-908,CWE-909,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
opensuse leap 15.0
debian debian_linux 8.0
canonical ubuntu_linux 18.10
netapp storage_automation_store -
redhat software_collections 1.0
debian debian_linux 9.0
canonical ubuntu_linux 18.04
php php *
opensuse leap 15.1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
opensuse leap 42.3
CVE-2019-9640 MEDIUM

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
opensuse leap 15.0
debian debian_linux 8.0
canonical ubuntu_linux 18.10
netapp storage_automation_store -
redhat software_collections 1.0
debian debian_linux 9.0
canonical ubuntu_linux 18.04
php php *
opensuse leap 15.1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
opensuse leap 42.3
CVE-2019-9641 HIGH

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-908,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
opensuse leap 15.0
debian debian_linux 8.0
canonical ubuntu_linux 18.10
netapp storage_automation_store -
debian debian_linux 9.0
canonical ubuntu_linux 18.04
php php *
opensuse leap 15.1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
opensuse leap 42.3
CVE-2019-9675 MEDIUM

An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phar_tar_writeheaders_int in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor indicates that the link value is used only when an archive contains a symlink, which currently cannot happen: "This issue allows theoretical compromise of security, but a practical attack is usually impossible.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
opensuse leap 42.3
CVE-2020-28948 MEDIUM

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-502,

Products Affected

Vendor Product Version
php archive_tar *
fedoraproject fedora 35
drupal drupal *
fedoraproject fedora 33
debian debian_linux 10.0
fedoraproject fedora 34
debian debian_linux 9.0
fedoraproject fedora 32
CVE-2020-28949 MEDIUM

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
php archive_tar *
fedoraproject fedora 35
drupal drupal *
fedoraproject fedora 33
debian debian_linux 10.0
fedoraproject fedora 34
debian debian_linux 9.0
fedoraproject fedora 32
CVE-2020-36193 MEDIUM

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-59,CWE-59,

Products Affected

Vendor Product Version
php archive_tar *
fedoraproject fedora 35
drupal drupal *
fedoraproject fedora 33
debian debian_linux 10.0
fedoraproject fedora 34
debian debian_linux 9.0
fedoraproject fedora 32
CVE-2020-7059 MEDIUM

When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2
security@php.net 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
php php *
opensuse leap 15.1
debian debian_linux 8.0
oracle communications_diameter_signaling_router *
tenable tenable.sc *
CVE-2020-7060 MEDIUM

When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2
security@php.net 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
php php *
opensuse leap 15.1
debian debian_linux 8.0
oracle communications_diameter_signaling_router *
tenable tenable.sc *
CVE-2020-7061 MEDIUM

In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L 3.9 2.5
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
php php *
tenable tenable.sc *
CVE-2020-7062 MEDIUM

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
php php *
opensuse leap 15.1
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
debian debian_linux 8.0
canonical ubuntu_linux 16.04
debian debian_linux 10.0
debian debian_linux 9.0
canonical ubuntu_linux 19.10
canonical ubuntu_linux 18.04
CVE-2020-7063 MEDIUM

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4
security@php.net 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-281,CWE-281,

Products Affected

Vendor Product Version
php php *
opensuse leap 15.1
debian debian_linux 8.0
debian debian_linux 10.0
debian debian_linux 9.0
tenable tenable.sc *
CVE-2020-7064 MEDIUM

In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L 3.9 2.5
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L 2.8 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
debian debian_linux 8.0
debian debian_linux 9.0
canonical ubuntu_linux 20.04
canonical ubuntu_linux 18.04
php php *
opensuse leap 15.1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 19.10
tenable tenable.sc *
CVE-2020-7065 MEDIUM

In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
security@php.net 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H 2.2 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-121,CWE-787,

Products Affected

Vendor Product Version
php php *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
debian debian_linux 10.0
canonical ubuntu_linux 19.10
canonical ubuntu_linux 20.04
canonical ubuntu_linux 18.04
tenable tenable.sc *
CVE-2020-7066 MEDIUM

In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-170,NVD-CWE-Other,

Products Affected

Vendor Product Version
php php *
opensuse leap 15.1
debian debian_linux 8.0
tenable tenable.sc 5.19.0
debian debian_linux 10.0
debian debian_linux 9.0
tenable tenable.sc *
CVE-2020-7067 MEDIUM

In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
security@php.net 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-196,CWE-125,

Products Affected

Vendor Product Version
php php *
debian debian_linux 10.0
oracle communications_diameter_signaling_router *
debian debian_linux 9.0
tenable tenable.sc *
CVE-2020-7068 LOW

In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L 2.2 2.5
nvd@nist.gov 3.6 LOW CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L 1.0 2.5

CVSS 2.0

Severity: LOW

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
php php *
debian debian_linux 10.0
tenable tenable.sc *
CVE-2020-7069 MEDIUM

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-326,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
opensuse leap 15.2
oracle communications_diameter_signaling_router *
fedoraproject fedora 31
fedoraproject fedora 32
canonical ubuntu_linux 20.04
canonical ubuntu_linux 18.04
php php *
netapp clustered_data_ontap -
opensuse leap 15.1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
fedoraproject fedora 33
debian debian_linux 10.0
tenable tenable.sc *
CVE-2020-7070 MEDIUM

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4
security@php.net 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-565,

Products Affected

Vendor Product Version
canonical ubuntu_linux 12.04
opensuse leap 15.2
debian debian_linux 9.0
fedoraproject fedora 31
fedoraproject fedora 32
canonical ubuntu_linux 20.04
canonical ubuntu_linux 18.04
php php *
netapp clustered_data_ontap -
opensuse leap 15.1
canonical ubuntu_linux 14.04
canonical ubuntu_linux 16.04
fedoraproject fedora 33
debian debian_linux 10.0
tenable tenable.sc *
CVE-2020-7071 MEDIUM

In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
php php *
netapp clustered_data_ontap -
debian debian_linux 10.0
debian debian_linux 9.0
CVE-2021-21702 MEDIUM

In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
php php *
netapp clustered_data_ontap -
debian debian_linux 10.0
oracle communications_diameter_signaling_router *
debian debian_linux 9.0
CVE-2021-21703 MEDIUM

In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,CWE-787,CWE-787,

Products Affected

Vendor Product Version
php php *
netapp clustered_data_ontap -
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 33
debian debian_linux 10.0
fedoraproject fedora 34
oracle communications_diameter_signaling_router *
debian debian_linux 9.0
CVE-2021-21704 MEDIUM

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6
security@php.net 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 1.6 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-190,CWE-787,

Products Affected

Vendor Product Version
php php *
netapp clustered_data_ontap -
CVE-2021-21705 MEDIUM

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4
security@php.net 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
php php *
netapp clustered_data_ontap -
oracle sd-wan_aware 8.2
CVE-2021-21706 MEDIUM

In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS permissions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N 1.6 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-24,CWE-22,

Products Affected

Vendor Product Version
php php *
CVE-2021-21707 MEDIUM

In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
security@php.net 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-159,NVD-CWE-Other,

Products Affected

Vendor Product Version
php php *
netapp clustered_data_ontap -
debian debian_linux 11.0
debian debian_linux 10.0
tenable tenable.sc *
CVE-2021-21708 MEDIUM

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L 3.9 4.2
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
php php *
CVE-2021-32610 LOW

In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
php archive_tar *
fedoraproject fedora 35
fedoraproject fedora 33
fedoraproject fedora 34
debian debian_linux 9.0
CVE-2022-26635 HIGH

PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection. Note: Third parties have disputed this as not affecting PHP-Memcached directly.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
php memcached *
CVE-2022-27157 HIGH

pearweb < 1.32 is suffers from a Weak Password Recovery Mechanism via include/users/passwordmanage.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-640,

Products Affected

Vendor Product Version
php pearweb *
CVE-2022-27158 HIGH

pearweb < 1.32 suffers from Deserialization of Untrusted Data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
php pearweb *
CVE-2022-31625 MEDIUM

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9
security@php.net 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-590,CWE-824,CWE-763,

Products Affected

Vendor Product Version
php php *
debian debian_linux 11.0
debian debian_linux 10.0
CVE-2022-31626 MEDIUM

In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
php php *
debian debian_linux 11.0
debian debian_linux 10.0
CVE-2022-31627

In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 7.7 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L 2.2 5.5
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
php php *
CVE-2022-31628

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.

Products Affected

Vendor Product Version
php php *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 37
debian debian_linux 10.0
fedoraproject fedora 36
CVE-2022-31629

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.

Products Affected

Vendor Product Version
php php *
debian debian_linux 11.0
fedoraproject fedora 35
fedoraproject fedora 37
debian debian_linux 10.0
fedoraproject fedora 36
CVE-2022-31630

In PHP versions prior to 7.4.33, 8.0.25 and 8.1.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information. 

Products Affected

Vendor Product Version
php php *
CVE-2022-31631

In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

Products Affected

Vendor Product Version
php php *
CVE-2022-37454

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
php php *
extended_keccak_code_package_project extended_keccak_code_package -
pysha3_project pysha3 *
sha3_project sha3 *
debian debian_linux 11.0
fedoraproject fedora 35
debian debian_linux 10.0
python python *
pypy pypy *
fedoraproject fedora 36
CVE-2022-4900

A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.5 3.6
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
php php *
php php -
redhat enterprise_linux 7.0
php php 7.4.0
redhat enterprise_linux 6.0
php php 8.0.0
redhat enterprise_linux 9.0
redhat enterprise_linux 8.0
redhat software_collections -
php php 8.1.0
CVE-2023-0567

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 7.7 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 2.5 5.2
nvd@nist.gov 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 2.5 3.6

Products Affected

Vendor Product Version
php php *
CVE-2023-0568

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
php php *
CVE-2023-0662

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security@php.net 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
php php *
CVE-2023-3247

In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. 

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 2.6 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N 1.2 1.4

Products Affected

Vendor Product Version
php php *
CVE-2023-3823

In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
security@php.net 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L 3.9 4.7

Products Affected

Vendor Product Version
php php *
debian debian_linux 10.0
fedoraproject fedora 38
CVE-2023-3824

In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 9.4 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L 3.9 5.5
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
php php *
debian debian_linux 10.0
fedoraproject fedora 38
CVE-2024-11233

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H 3.9 4.2
security@php.net 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L 2.2 2.5

Products Affected

Vendor Product Version
php php *
CVE-2024-11234

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N 3.9 2.7

Products Affected

Vendor Product Version
php php *
CVE-2024-11235

In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
php php *
CVE-2024-11236

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
php php *
CVE-2024-1874

In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 9.4 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L 3.9 5.5

Products Affected

Vendor Product Version
php php *
fedoraproject fedora 40
fedoraproject fedora 39
CVE-2024-2408

The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.

Products Affected

Vendor Product Version
php php *
fedoraproject fedora 40
CVE-2024-2757

In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
php php *
CVE-2024-3096

In PHP  version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
php php *
debian debian_linux 10.0
CVE-2024-3566

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

Products Affected

Vendor Product Version
php php *
golang go *
rust-lang rust 1.77.2
yt-dlp_project yt-dlp *
nodejs node.js *
haskell process_library 1.6.19.0
CVE-2024-4577

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
php php *
fedoraproject fedora 40
fedoraproject fedora 39
CVE-2024-5458

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
php php *
fedoraproject fedora 40
CVE-2024-5585

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 7.7 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L 2.2 5.5

Products Affected

Vendor Product Version
php php *
fedoraproject fedora 40
CVE-2024-8925

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 1.6 1.4

Products Affected

Vendor Product Version
php php *
CVE-2024-8926

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for  CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3  may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
php php *
php-fpm php-fpm *
CVE-2024-8927

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
php php *
CVE-2024-8929

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 5.8 MEDIUM CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N 1.3 4.0

Products Affected

Vendor Product Version
php php *
CVE-2024-8932

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
php php *
netapp ontap 9
CVE-2024-9026

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 1.8 1.4

Products Affected

Vendor Product Version
php php *
CVE-2025-1217

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 1.6 1.4

Products Affected

Vendor Product Version
php php *
CVE-2025-1219

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
php php *
CVE-2025-1220

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
php php *
CVE-2025-14177

In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.

Products Affected

Vendor Product Version
php php *
php php 8.5.0
CVE-2025-14178

In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 6.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H 2.2 4.2

Products Affected

Vendor Product Version
php php *
CVE-2025-14180

In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server.

Products Affected

Vendor Product Version
php php *
CVE-2025-1734

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
php php *
netapp ontap 9
CVE-2025-1735

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
php php *
CVE-2025-1736

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4

Products Affected

Vendor Product Version
php php *
netapp ontap 9
CVE-2025-1861

In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
php php *
netapp ontap 9
CVE-2025-6491

In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@php.net 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
php php *
CVE-2026-24894

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2.

Products Affected

Vendor Product Version
php frankenphp *
CVE-2026-24895

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .php) on a lowercased copy of the request path but applies that byte index to the original path. Because strings.ToLower() in Go can increase the byte length of certain UTF-8 characters (e.g., Ⱥ expands when lowercased), the computed index may not align with the correct position in the original string. This results in an incorrect SCRIPT_NAME and SCRIPT_FILENAME, potentially causing FrankenPHP to execute a file other than the one intended by the URI. This vulnerability is fixed in 1.11.2.

Products Affected

Vendor Product Version
php frankenphp *