PHP — популярный язык сценариев общего назначения, особенно подходящий для веб-разработки.
Релизный цикл, информация об уязвимостях
График релизов
Количество 3 756
BDU:2024-03785
Уязвимость интерпретатора языка программирования PHP, связанная с ошибочной обработкой файлов cookie, позволяющая нарушителю перехватить сеанс и получить несанкционированный доступ к защищаемой информации
GHSA-f3qr-qr4x-j273
php-svg-lib lacks path validation on font through SVG inline styles
CVE-2024-25117
php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ...
CVE-2024-25117
php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue.
GHSA-95cc-jq89-8hvw
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
CVE-2022-4900
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
CVE-2022-4900
A vulnerability was found in PHP where setting the environment variabl ...
CVE-2022-4900
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
CVE-2023-3824
In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.
CVE-2023-3824
In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* bef ...
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | BDU:2024-03785 Уязвимость интерпретатора языка программирования PHP, связанная с ошибочной обработкой файлов cookie, позволяющая нарушителю перехватить сеанс и получить несанкционированный доступ к защищаемой информации | CVSS3: 6.5 | 9% Низкий | около 1 года назад |
| GHSA-f3qr-qr4x-j273 php-svg-lib lacks path validation on font through SVG inline styles | CVSS3: 6.8 | 0% Низкий | больше 1 года назад |
| CVE-2024-25117 php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ... | CVSS3: 6.8 | 0% Низкий | больше 1 года назад |
 | CVE-2024-25117 php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue. | CVSS3: 6.8 | 0% Низкий | больше 1 года назад |
| GHSA-95cc-jq89-8hvw A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. | CVSS3: 6.2 | 0% Низкий | больше 1 года назад |
| CVE-2022-4900 A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. | CVSS3: 6.2 | 0% Низкий | больше 1 года назад |
| CVE-2022-4900 A vulnerability was found in PHP where setting the environment variabl ... | CVSS3: 6.2 | 0% Низкий | больше 1 года назад |
 | CVE-2022-4900 A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow. | CVSS3: 6.2 | 0% Низкий | больше 1 года назад |
| CVE-2023-3824 In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. | CVSS3: 9.4 | 17% Средний | почти 2 года назад |
| CVE-2023-3824 In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* bef ... | CVSS3: 9.4 | 17% Средний | почти 2 года назад |
Уязвимостей на страницу