PHP — популярный язык сценариев общего назначения, особенно подходящий для веб-разработки.

Релизный цикл, информация об уязвимостях

Продукт: PHP

Вендор: php

График релизов

Недавние уязвимости PHP

Количество 3 883

BDU:2024-03785

почти 2 года назад

Уязвимость интерпретатора языка программирования PHP, связанная с ошибочной обработкой файлов cookie, позволяющая нарушителю перехватить сеанс и получить несанкционированный доступ к защищаемой информации

CVSS3: 6.5

EPSS: Низкий

GHSA-f3qr-qr4x-j273

почти 2 года назад

php-svg-lib lacks path validation on font through SVG inline styles

CVSS3: 6.8

EPSS: Низкий

CVE-2024-25117

почти 2 года назад

php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue.

CVSS3: 6.8

EPSS: Низкий

CVE-2024-25117

почти 2 года назад

php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ...

CVSS3: 6.8

EPSS: Низкий

GHSA-95cc-jq89-8hvw

больше 2 лет назад

A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.

CVSS3: 6.2

EPSS: Низкий

CVE-2022-4900

больше 2 лет назад

A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.

CVSS3: 6.2

EPSS: Низкий

CVE-2022-4900

больше 2 лет назад

A vulnerability was found in PHP where setting the environment variabl ...

CVSS3: 6.2

EPSS: Низкий

CVE-2022-4900

больше 2 лет назад

A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.

CVSS3: 6.2

EPSS: Низкий

CVE-2023-3824

больше 2 лет назад

In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.

CVSS3: 9.4

EPSS: Средний

CVE-2023-3824

больше 2 лет назад

In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* bef ...

CVSS3: 9.4

EPSS: Средний

Уязвимостей на страницу

Уязвимость	CVSS	EPSS	Опубликовано 1
BDU:2024-03785 Уязвимость интерпретатора языка программирования PHP, связанная с ошибочной обработкой файлов cookie, позволяющая нарушителю перехватить сеанс и получить несанкционированный доступ к защищаемой информации	CVSS3: 6.5	10% Низкий	почти 2 года назад
GHSA-f3qr-qr4x-j273 php-svg-lib lacks path validation on font through SVG inline styles	CVSS3: 6.8	0% Низкий	почти 2 года назад
CVE-2024-25117 php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue.	CVSS3: 6.8	0% Низкий	почти 2 года назад
CVE-2024-25117 php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ...	CVSS3: 6.8	0% Низкий	почти 2 года назад
GHSA-95cc-jq89-8hvw A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.	CVSS3: 6.2	0% Низкий	больше 2 лет назад
CVE-2022-4900 A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.	CVSS3: 6.2	0% Низкий	больше 2 лет назад
CVE-2022-4900 A vulnerability was found in PHP where setting the environment variabl ...	CVSS3: 6.2	0% Низкий	больше 2 лет назад
CVE-2022-4900 A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.	CVSS3: 6.2	0% Низкий	больше 2 лет назад
CVE-2023-3824 In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.	CVSS3: 9.4	33% Средний	больше 2 лет назад
CVE-2023-3824 In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* bef ...	CVSS3: 9.4	33% Средний	больше 2 лет назад

Уязвимостей на страницу