PHP — популярный язык сценариев общего назначения, особенно подходящий для веб-разработки.
Релизный цикл, информация об уязвимостях
График релизов
Количество 3 867
BDU:2024-03215
Уязвимость функции password_verify() интерпретатора языка программирования PHP, позволяющая нарушителю обойти процесс аутентификации и получить несанкционированный доступ к веб-приложению
GHSA-9xch-xvj3-fmf3
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
CVE-2024-3566
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
CVE-2024-3566
A command inject vulnerability allows an attacker to perform command i ...
CVE-2024-1874
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
BDU:2024-03785
Уязвимость интерпретатора языка программирования PHP, связанная с ошибочной обработкой файлов cookie, позволяющая нарушителю перехватить сеанс и получить несанкционированный доступ к защищаемой информации
GHSA-f3qr-qr4x-j273
php-svg-lib lacks path validation on font through SVG inline styles
CVE-2024-25117
php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue.
CVE-2024-25117
php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ...
GHSA-95cc-jq89-8hvw
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | BDU:2024-03215 Уязвимость функции password_verify() интерпретатора языка программирования PHP, позволяющая нарушителю обойти процесс аутентификации и получить несанкционированный доступ к веб-приложению | CVSS3: 9.1 | 1% Низкий | больше 1 года назад |
| GHSA-9xch-xvj3-fmf3 A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. | CVSS3: 9.8 | 4% Низкий | больше 1 года назад |
 | CVE-2024-3566 A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. | CVSS3: 9.8 | 4% Низкий | больше 1 года назад |
| CVE-2024-3566 A command inject vulnerability allows an attacker to perform command i ... | CVSS3: 9.8 | 4% Низкий | больше 1 года назад |
 | CVE-2024-1874 In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. | 58% Средний | больше 1 года назад | |
| BDU:2024-03785 Уязвимость интерпретатора языка программирования PHP, связанная с ошибочной обработкой файлов cookie, позволяющая нарушителю перехватить сеанс и получить несанкционированный доступ к защищаемой информации | CVSS3: 6.5 | 7% Низкий | больше 1 года назад |
| GHSA-f3qr-qr4x-j273 php-svg-lib lacks path validation on font through SVG inline styles | CVSS3: 6.8 | 0% Низкий | больше 1 года назад |
| CVE-2024-25117 php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue. | CVSS3: 6.8 | 0% Низкий | больше 1 года назад |
| CVE-2024-25117 php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ... | CVSS3: 6.8 | 0% Низкий | больше 1 года назад |
| GHSA-95cc-jq89-8hvw A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. | CVSS3: 6.2 | 0% Низкий | около 2 лет назад |
Уязвимостей на страницу