Vulnerabilities > PHP

DATE CVE VULNERABILITY TITLE RISK
2017-03-02 CVE-2015-8994 Permissions, Privileges, and Access Controls vulnerability in PHP
An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled.
network
high complexity
php CWE-264
7.5
2017-02-01 CVE-2017-5630 Injection vulnerability in PHP Pear 1.10.1
PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.
network
low complexity
php CWE-74
7.5
2017-01-24 CVE-2016-10162 NULL Pointer Dereference vulnerability in PHP
The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.
network
low complexity
php CWE-476
7.5
2017-01-24 CVE-2016-10161 Out-of-bounds Read vulnerability in PHP
The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call.
network
low complexity
php CWE-125
7.5
2017-01-24 CVE-2016-10160 Off-by-one Error vulnerability in multiple products
Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.
network
low complexity
php netapp debian CWE-193
critical
9.8
2017-01-24 CVE-2016-10159 Integer Overflow or Wraparound vulnerability in multiple products
Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive.
network
low complexity
php debian CWE-190
7.5
2017-01-24 CVE-2016-10158 Numeric Errors vulnerability in PHP
The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable negative integer by -1.
network
low complexity
php CWE-189
7.5
2017-01-23 CVE-2016-5873 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in PHP Pecl Http 3.0.1
Buffer overflow in the HTTP URL parsing functions in pecl_http before 3.0.1 might allow remote attackers to execute arbitrary code via non-printable characters in a URL.
network
low complexity
php CWE-119
critical
9.8
2017-01-12 CVE-2016-7479 Use After Free vulnerability in PHP
In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may lead to use-after-free.
network
low complexity
php CWE-416
critical
9.8
2017-01-11 CVE-2016-7480 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.
network
low complexity
php netapp CWE-119
critical
9.8