PHP — популярный язык сценариев общего назначения, особенно подходящий для веб-разработки.

Релизный цикл, информация об уязвимостях

Продукт: PHP

Вендор: php

График релизов

Недавние уязвимости PHP

Количество 3 867

CVE-2015-4116

больше 9 лет назад

Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation.

CVSS3: 9.8

EPSS: Низкий

CVE-2015-4116

больше 9 лет назад

Use-after-free vulnerability in the spl_ptr_heap_insert function in ex ...

CVSS3: 9.8

EPSS: Низкий

CVE-2015-3412

больше 9 лет назад

PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension.

CVSS3: 5.3

EPSS: Низкий

CVE-2015-3412

больше 9 лет назад

PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does no ...

CVSS3: 5.3

EPSS: Низкий

CVE-2015-3411

больше 9 лет назад

PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that bypasses an intended configuration in which client users may read only .xml files.

CVSS3: 6.5

EPSS: Низкий

CVE-2015-3411

больше 9 лет назад

PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does no ...

CVSS3: 6.5

EPSS: Низкий

CVE-2015-3152

больше 9 лет назад

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.

CVSS3: 5.9

EPSS: Средний

CVE-2015-3152

больше 9 лет назад

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclien ...

CVSS3: 5.9

EPSS: Средний

CVE-2014-0236

больше 9 лет назад

file before 5.18, as used in the Fileinfo component in PHP before 5.6.0, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a zero root_storage value in a CDF file, related to cdf.c and readcdf.c.

CVSS3: 7.5

EPSS: Низкий

CVE-2014-0236

больше 9 лет назад

file before 5.18, as used in the Fileinfo component in PHP before 5.6. ...

CVSS3: 7.5

EPSS: Низкий

Уязвимостей на страницу

Уязвимость	CVSS	EPSS	Опубликовано 1
CVE-2015-4116 Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation.	CVSS3: 9.8	5% Низкий	больше 9 лет назад
CVE-2015-4116 Use-after-free vulnerability in the spl_ptr_heap_insert function in ex ...	CVSS3: 9.8	5% Низкий	больше 9 лет назад
CVE-2015-3412 PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension.	CVSS3: 5.3	1% Низкий	больше 9 лет назад
CVE-2015-3412 PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does no ...	CVSS3: 5.3	1% Низкий	больше 9 лет назад
CVE-2015-3411 PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that bypasses an intended configuration in which client users may read only .xml files.	CVSS3: 6.5	0% Низкий	больше 9 лет назад
CVE-2015-3411 PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does no ...	CVSS3: 6.5	0% Низкий	больше 9 лет назад
CVE-2015-3152 Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.	CVSS3: 5.9	52% Средний	больше 9 лет назад
CVE-2015-3152 Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclien ...	CVSS3: 5.9	52% Средний	больше 9 лет назад
CVE-2014-0236 file before 5.18, as used in the Fileinfo component in PHP before 5.6.0, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a zero root_storage value in a CDF file, related to cdf.c and readcdf.c.	CVSS3: 7.5	1% Низкий	больше 9 лет назад
CVE-2014-0236 file before 5.18, as used in the Fileinfo component in PHP before 5.6. ...	CVSS3: 7.5	1% Низкий	больше 9 лет назад

Уязвимостей на страницу