PHP — популярный язык сценариев общего назначения, особенно подходящий для веб-разработки.
Релизный цикл, информация об уязвимостях
График релизов
Количество 3 843
CVE-2024-3096
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
CVE-2024-3096
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before ...
CVE-2024-2757
In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function.
CVE-2024-2757
In PHP 8.3.* before 8.3.5, functionmb_encode_mimeheader() runs endless ...
CVE-2024-1874
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
CVE-2024-1874
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before ...
CVE-2024-3096
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
CVE-2024-2757
In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function.
CVE-2024-1874
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
CVE-2024-3096
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2024-3096 In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true. | CVSS3: 6.5 | 0% Низкий | больше 1 года назад |
| CVE-2024-3096 In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before ... | CVSS3: 6.5 | 0% Низкий | больше 1 года назад |
| CVE-2024-2757 In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function. | CVSS3: 7.5 | 0% Низкий | больше 1 года назад |
| CVE-2024-2757 In PHP 8.3.* before 8.3.5, functionmb_encode_mimeheader() runs endless ... | CVSS3: 7.5 | 0% Низкий | больше 1 года назад |
| CVE-2024-1874 In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. | CVSS3: 9.4 | 55% Средний | больше 1 года назад |
| CVE-2024-1874 In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before ... | CVSS3: 9.4 | 55% Средний | больше 1 года назад |
 | CVE-2024-3096 In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true. | CVSS3: 6.5 | 0% Низкий | больше 1 года назад |
| CVE-2024-2757 In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends data to an application that uses this function. | CVSS3: 7.5 | 0% Низкий | больше 1 года назад |
| CVE-2024-1874 In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. | CVSS3: 9.4 | 55% Средний | больше 1 года назад |
 | CVE-2024-3096 In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true. | CVSS3: 4.8 | 0% Низкий | больше 1 года назад |
Уязвимостей на страницу