Vulnerabilities > PHP

DATE CVE VULNERABILITY TITLE RISK
2017-11-07 CVE-2017-16642 Out-of-bounds Read vulnerability in multiple products
In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function.
network
low complexity
php debian canonical netapp CWE-125
7.5
2017-08-18 CVE-2017-12934 Use After Free vulnerability in PHP
ext/standard/var_unserializer.re in PHP 7.0.x before 7.0.21 and 7.1.x before 7.1.7 is prone to a heap use after free while unserializing untrusted data, related to the zval_get_type function in Zend/zend_types.h.
network
low complexity
php CWE-416
7.5
2017-08-18 CVE-2017-12933 Out-of-bounds Read vulnerability in PHP
The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data.
network
low complexity
php CWE-125
critical
9.8
2017-08-18 CVE-2017-12932 Use After Free vulnerability in PHP
ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x through 7.1.8 is prone to a heap use after free while unserializing untrusted data, related to improper use of the hash API for key deletion in a situation with an invalid array size.
network
low complexity
php CWE-416
critical
9.8
2017-08-02 CVE-2017-7890 Information Exposure vulnerability in PHP
The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use.
network
low complexity
php CWE-200
6.5
2017-07-25 CVE-2017-11628 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in PHP
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of service or potentially allow executing code.
local
low complexity
php CWE-119
7.8
2017-07-17 CVE-2017-11362 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in PHP
In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/msgformat_parse.c does not restrict the locale length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact within International Components for Unicode (ICU) for C/C++ via a long first argument to the msgfmt_parse_message function.
network
low complexity
php CWE-119
critical
9.8
2017-07-10 CVE-2017-11147 Out-of-bounds Read vulnerability in multiple products
In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.
network
low complexity
php netapp CWE-125
critical
9.1
2017-07-10 CVE-2017-11145 Information Exposure vulnerability in PHP
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function.
network
low complexity
php CWE-200
7.5
2017-07-10 CVE-2017-11144 Improper Check for Unusual or Exceptional Conditions vulnerability in PHP
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.
network
low complexity
php CWE-754
7.5