Vulnerabilities > PHP

DATE CVE VULNERABILITY TITLE RISK
2017-07-10 CVE-2017-11147 Out-of-bounds Read vulnerability in multiple products
In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.
network
low complexity
php netapp CWE-125
critical
9.1
2017-07-10 CVE-2017-11145 Information Exposure vulnerability in PHP
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function.
network
low complexity
php CWE-200
7.5
2017-07-10 CVE-2017-11144 Improper Check for Unusual or Exceptional Conditions vulnerability in PHP
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.
network
low complexity
php CWE-754
7.5
2017-07-10 CVE-2017-11143 Deserialization of Untrusted Data vulnerability in PHP
In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.
network
low complexity
php CWE-502
7.5
2017-07-10 CVE-2017-11142 Resource Exhaustion vulnerability in PHP
In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.
network
low complexity
php CWE-400
7.5
2017-07-10 CVE-2016-10397 Improper Input Validation vulnerability in PHP
In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:[email protected]/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).
network
low complexity
php CWE-20
7.5
2017-06-08 CVE-2016-4473 Use After Free vulnerability in multiple products
/ext/phar/phar_object.c in PHP 7.0.7 and 5.6.x allows remote attackers to execute arbitrary code.
network
low complexity
php suse CWE-416
critical
9.8
2017-05-24 CVE-2017-9229 NULL Pointer Dereference vulnerability in multiple products
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5.
network
low complexity
oniguruma-project ruby-lang php CWE-476
7.5
2017-05-24 CVE-2017-9228 Out-of-bounds Write vulnerability in multiple products
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5.
network
low complexity
oniguruma-project php CWE-787
critical
9.8
2017-05-24 CVE-2017-9227 Out-of-bounds Read vulnerability in multiple products
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5.
network
low complexity
oniguruma-project php CWE-125
critical
9.8