PHP — популярный язык сценариев общего назначения, особенно подходящий для веб-разработки.
Релизный цикл, информация об уязвимостях
График релизов
Количество 3 768
CVE-2024-3566
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
CVE-2024-1874
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
BDU:2024-03785
Уязвимость интерпретатора языка программирования PHP, связанная с ошибочной обработкой файлов cookie, позволяющая нарушителю перехватить сеанс и получить несанкционированный доступ к защищаемой информации
GHSA-f3qr-qr4x-j273
php-svg-lib lacks path validation on font through SVG inline styles
CVE-2024-25117
php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ...
CVE-2024-25117
php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue.
GHSA-95cc-jq89-8hvw
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
CVE-2022-4900
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
CVE-2022-4900
A vulnerability was found in PHP where setting the environment variabl ...
CVE-2022-4900
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2024-3566 A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. | CVSS3: 9.8 | 4% Низкий | около 1 года назад |
 | CVE-2024-1874 In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. | 55% Средний | около 1 года назад | |
 | BDU:2024-03785 Уязвимость интерпретатора языка программирования PHP, связанная с ошибочной обработкой файлов cookie, позволяющая нарушителю перехватить сеанс и получить несанкционированный доступ к защищаемой информации | CVSS3: 6.5 | 9% Низкий | около 1 года назад |
| GHSA-f3qr-qr4x-j273 php-svg-lib lacks path validation on font through SVG inline styles | CVSS3: 6.8 | 0% Низкий | больше 1 года назад |
| CVE-2024-25117 php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ... | CVSS3: 6.8 | 0% Низкий | больше 1 года назад |
| CVE-2024-25117 php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue. | CVSS3: 6.8 | 0% Низкий | больше 1 года назад |
| GHSA-95cc-jq89-8hvw A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. | CVSS3: 6.2 | 0% Низкий | больше 1 года назад |
| CVE-2022-4900 A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. | CVSS3: 6.2 | 0% Низкий | больше 1 года назад |
| CVE-2022-4900 A vulnerability was found in PHP where setting the environment variabl ... | CVSS3: 6.2 | 0% Низкий | больше 1 года назад |
 | CVE-2022-4900 A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. | CVSS3: 6.2 | 0% Низкий | больше 1 года назад |
Уязвимостей на страницу