PHP — популярный язык сценариев общего назначения, особенно подходящий для веб-разработки.
Релизный цикл, информация об уязвимостях
График релизов
Количество 3 867
BDU:2022-02419
Уязвимость функции wddx_deserialize() интерпретатора языка программирования PHP , связанная с использованием памяти после её освобождения, позволяющая нарушителю вызвать отказ в обслуживании
SUSE-SU-2017:1709-1
Security update for php53
CVE-2017-11145
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: the correct fix is in the e8b7698f5ee757ce2c8bd10a192a491a498f891c commit, not the bd77ac90d3bdf31ce2a5251ad92e9e75 gist.
CVE-2018-5712
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
CVE-2016-4473
/ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833.
CVE-2016-4473
/ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers ...
CVE-2016-4473
/ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833.
BDU:2017-01772
Уязвимость компонента /ext/phar/phar_object.c интерпретатора PHP, позволяющая нарушителю выполнить произвольный код
CVE-2017-11144
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.
CVE-2017-9229
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | BDU:2022-02419 Уязвимость функции wddx_deserialize() интерпретатора языка программирования PHP , связанная с использованием памяти после её освобождения, позволяющая нарушителю вызвать отказ в обслуживании | CVSS3: 7.5 | 12% Средний | больше 8 лет назад |
 | SUSE-SU-2017:1709-1 Security update for php53 | 0% Низкий | больше 8 лет назад | |
 | CVE-2017-11145 In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: the correct fix is in the e8b7698f5ee757ce2c8bd10a192a491a498f891c commit, not the bd77ac90d3bdf31ce2a5251ad92e9e75 gist. | CVSS3: 5.3 | 8% Низкий | больше 8 лет назад |
| CVE-2018-5712 An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file. | CVSS3: 6.1 | 11% Средний | больше 8 лет назад |
 | CVE-2016-4473 /ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833. | CVSS3: 9.8 | 24% Средний | больше 8 лет назад |
| CVE-2016-4473 /ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers ... | CVSS3: 9.8 | 24% Средний | больше 8 лет назад |
 | CVE-2016-4473 /ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code. NOTE: Introduced as part of an incomplete fix to CVE-2015-6833. | CVSS3: 9.8 | 24% Средний | больше 8 лет назад |
| BDU:2017-01772 Уязвимость компонента /ext/phar/phar_object.c интерпретатора PHP, позволяющая нарушителю выполнить произвольный код | CVSS2: 7.5 | 24% Средний | больше 8 лет назад |
| CVE-2017-11144 In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission. | CVSS3: 5.9 | 42% Средний | больше 8 лет назад |
| CVE-2017-9229 An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition. | CVSS3: 7.5 | 1% Низкий | больше 8 лет назад |
Уязвимостей на страницу