PHP — популярный язык сценариев общего назначения, особенно подходящий для веб-разработки.
Релизный цикл, информация об уязвимостях
График релизов
Количество 3 843
CVE-2024-1874
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
BDU:2024-03785
Уязвимость интерпретатора языка программирования PHP, связанная с ошибочной обработкой файлов cookie, позволяющая нарушителю перехватить сеанс и получить несанкционированный доступ к защищаемой информации
GHSA-f3qr-qr4x-j273
php-svg-lib lacks path validation on font through SVG inline styles
CVE-2024-25117
php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue.
CVE-2024-25117
php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ...
GHSA-95cc-jq89-8hvw
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
CVE-2022-4900
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
CVE-2022-4900
A vulnerability was found in PHP where setting the environment variabl ...
CVE-2022-4900
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
CVE-2023-3824
In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2024-1874 In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. | 55% Средний | больше 1 года назад | |
 | BDU:2024-03785 Уязвимость интерпретатора языка программирования PHP, связанная с ошибочной обработкой файлов cookie, позволяющая нарушителю перехватить сеанс и получить несанкционированный доступ к защищаемой информации | CVSS3: 6.5 | 5% Низкий | больше 1 года назад |
| GHSA-f3qr-qr4x-j273 php-svg-lib lacks path validation on font through SVG inline styles | CVSS3: 6.8 | 0% Низкий | больше 1 года назад |
 | CVE-2024-25117 php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue. | CVSS3: 6.8 | 0% Низкий | больше 1 года назад |
| CVE-2024-25117 php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ... | CVSS3: 6.8 | 0% Низкий | больше 1 года назад |
| GHSA-95cc-jq89-8hvw A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. | CVSS3: 6.2 | 0% Низкий | почти 2 года назад |
| CVE-2022-4900 A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. | CVSS3: 6.2 | 0% Низкий | почти 2 года назад |
| CVE-2022-4900 A vulnerability was found in PHP where setting the environment variabl ... | CVSS3: 6.2 | 0% Низкий | почти 2 года назад |
 | CVE-2022-4900 A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. | CVSS3: 6.2 | 0% Низкий | почти 2 года назад |
| CVE-2023-3824 In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. | CVSS3: 9.4 | 19% Средний | около 2 лет назад |
Уязвимостей на страницу