PHP — популярный язык сценариев общего назначения, особенно подходящий для веб-разработки.
Релизный цикл, информация об уязвимостях
График релизов
Количество 3 867
CVE-2022-31631
In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.
CVE-2024-11233
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.
CVE-2024-11233
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before ...
CVE-2024-11233
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.
CVE-2024-11236
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
CVE-2024-11236
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before ...
CVE-2024-11234
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.
CVE-2024-11234
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before ...
CVE-2024-11236
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
CVE-2024-11234
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2022-31631 In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities. | CVSS3: 9.1 | 0% Низкий | 9 месяцев назад |
 | CVE-2024-11233 In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas. | CVSS3: 4.8 | 0% Низкий | 11 месяцев назад |
| CVE-2024-11233 In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before ... | CVSS3: 4.8 | 0% Низкий | 11 месяцев назад |
| CVE-2024-11233 In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas. | CVSS3: 4.8 | 0% Низкий | 11 месяцев назад |
| CVE-2024-11236 In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write. | CVSS3: 9.8 | 1% Низкий | 12 месяцев назад |
| CVE-2024-11236 In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before ... | CVSS3: 9.8 | 1% Низкий | 12 месяцев назад |
| CVE-2024-11234 In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user. | CVSS3: 4.8 | 0% Низкий | 12 месяцев назад |
| CVE-2024-11234 In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before ... | CVSS3: 4.8 | 0% Низкий | 12 месяцев назад |
| CVE-2024-11236 In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write. | CVSS3: 9.8 | 1% Низкий | 12 месяцев назад |
| CVE-2024-11234 In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user. | CVSS3: 4.8 | 0% Низкий | 12 месяцев назад |
Уязвимостей на страницу