Vulnerabilities > PHP
|2023-03-01||CVE-2023-0567|| Use of Password Hash With Insufficient Computational Effort vulnerability in PHP |
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid.
| 6.2 |
|2023-02-16||CVE-2023-0568|| Allocation of Resources Without Limits or Throttling vulnerability in PHP |
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small.
| 8.1 |
|2023-02-16||CVE-2023-0662|| Resource Exhaustion vulnerability in PHP |
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries.
| 7.5 |
|2022-11-14||CVE-2022-31630|| Out-of-bounds Read vulnerability in PHP |
In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used.
| 7.1 |
|2022-10-21||CVE-2022-37454|| Integer Overflow or Wraparound vulnerability in multiple products |
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties.
low complexityextended-keccak-code-package-project debian fedoraproject php python sha3-project pysha3-project pypy CWE-190
| 9.8 |
|2022-09-28||CVE-2022-31628|| Uncontrolled Recursion vulnerability in multiple products |
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.
low complexityphp fedoraproject debian CWE-674
| 5.5 |
|2022-09-28||CVE-2022-31629|| In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications. |
low complexityphp fedoraproject debian
| 6.5 |
|2022-07-28||CVE-2022-31627|| Out-of-bounds Write vulnerability in PHP |
In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption.
| 9.8 |
|2022-06-16||CVE-2022-31625|| Release of Invalid Pointer or Reference vulnerability in multiple products |
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers.
| 8.1 |
|2022-06-16||CVE-2022-31626|| Classic Buffer Overflow vulnerability in multiple products |
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.
| 8.8 |