Vulnerabilities > PHP

DATE CVE VULNERABILITY TITLE RISK
2023-11-02 CVE-2022-4900 Out-of-bounds Write vulnerability in PHP 7.4.0/8.0.0/8.1.0
A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer overflow.
local
low complexity
php CWE-787
5.5
2023-08-11 CVE-2023-3823 XXE vulnerability in multiple products
In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded.
network
low complexity
php fedoraproject debian CWE-611
7.5
2023-08-11 CVE-2023-3824 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. 
network
low complexity
php fedoraproject debian CWE-119
critical
9.8
2023-07-22 CVE-2023-3247 Use of Insufficiently Random Values vulnerability in PHP
In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have.
network
low complexity
php CWE-330
4.3
2023-03-01 CVE-2023-0567 Use of Password Hash With Insufficient Computational Effort vulnerability in PHP
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid.
local
low complexity
php CWE-916
6.2
2023-02-16 CVE-2023-0568 Allocation of Resources Without Limits or Throttling vulnerability in PHP
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small.
network
high complexity
php CWE-770
8.1
2023-02-16 CVE-2023-0662 Resource Exhaustion vulnerability in PHP
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries.
network
low complexity
php CWE-400
7.5
2022-11-14 CVE-2022-31630 Out-of-bounds Read vulnerability in PHP
In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used.
local
low complexity
php CWE-125
7.1
2022-10-21 CVE-2022-37454 Integer Overflow or Wraparound vulnerability in multiple products
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties.
9.8
2022-09-28 CVE-2022-31628 Infinite Loop vulnerability in multiple products
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
local
low complexity
php fedoraproject debian CWE-835
5.5