Vulnerabilities > PHP

DATE CVE VULNERABILITY TITLE RISK
2021-02-15 CVE-2021-21702 Null Pointer Dereference vulnerability in multiple products
In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash.
network
low complexity
php debian netapp CWE-476
5.0
2021-02-15 CVE-2020-7071 Improper Input Validation vulnerability in multiple products
In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL.
network
low complexity
php debian netapp CWE-20
5.0
2021-01-18 CVE-2020-36193 Path Traversal vulnerability in multiple products
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
network
low complexity
php fedoraproject debian drupal CWE-22
5.0
2020-11-19 CVE-2020-28949 Injection vulnerability in multiple products
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
6.8
2020-11-19 CVE-2020-28948 Deserialization of Untrusted Data vulnerability in multiple products
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
6.8
2020-10-02 CVE-2020-7070 Reliance ON Cookies Without Validation and Integrity Checking vulnerability in multiple products
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded.
5.0
2020-10-02 CVE-2020-7069 Inadequate Encryption Strength vulnerability in multiple products
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used.
6.4
2020-09-09 CVE-2020-7068 USE After Free vulnerability in multiple products
In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.
3.3
2020-05-20 CVE-2019-11048 Integer Overflow OR Wraparound vulnerability in PHP
In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request.
network
low complexity
php CWE-190
5.0
2020-04-27 CVE-2020-7067 Out-Of-Bounds Read vulnerability in PHP
In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.
network
low complexity
php CWE-125
5.0