Vulnerabilities > PHP

DATE CVE VULNERABILITY TITLE RISK
2021-01-18 CVE-2020-36193 Path Traversal vulnerability in PHP Archive TAR
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
network
low complexity
php CWE-22
5.0
2020-11-19 CVE-2020-28949 Injection vulnerability in multiple products
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
6.8
2020-11-19 CVE-2020-28948 Deserialization of Untrusted Data vulnerability in multiple products
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
6.8
2020-10-02 CVE-2020-7070 Reliance ON Cookies Without Validation and Integrity Checking vulnerability in multiple products
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded.
network
low complexity
php debian fedoraproject CWE-565
5.0
2020-10-02 CVE-2020-7069 Inadequate Encryption Strength vulnerability in multiple products
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used.
network
low complexity
php fedoraproject CWE-326
6.4
2020-09-09 CVE-2020-7068 USE After Free vulnerability in PHP
In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.
local
php CWE-416
3.3
2020-05-20 CVE-2019-11048 Integer Overflow OR Wraparound vulnerability in PHP
In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request.
network
low complexity
php CWE-190
5.0
2020-04-27 CVE-2020-7067 Out-Of-Bounds Read vulnerability in PHP
In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.
network
low complexity
php CWE-125
5.0
2020-04-01 CVE-2020-7066 Unspecified vulnerability in PHP
In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it.
network
php
4.3
2020-04-01 CVE-2020-7065 Out-Of-Bounds Write vulnerability in multiple products
In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer.
6.8