Vulnerabilities > PHP > PHP > 7.2.24
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-02-27 | CVE-2020-7063 | Improper Preservation of Permissions vulnerability in multiple products In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. | 5.0 |
| 2020-02-27 | CVE-2020-7062 | NULL Pointer Dereference vulnerability in multiple products In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash. | 4.3 |
| 2020-02-27 | CVE-2020-7061 | Out-of-bounds Read vulnerability in multiple products In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. | 6.4 |
| 2020-02-10 | CVE-2020-7060 | Out-of-bounds Read vulnerability in multiple products When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. | 6.4 |
| 2020-02-10 | CVE-2020-7059 | Out-of-bounds Read vulnerability in multiple products When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. | 6.4 |
| 2019-12-23 | CVE-2019-11050 | Out-of-bounds Read vulnerability in multiple products When PHP EXIF extension is parsing EXIF information from an image, e.g. | 6.5 |
| 2019-12-23 | CVE-2019-11047 | Out-of-bounds Read vulnerability in multiple products When PHP EXIF extension is parsing EXIF information from an image, e.g. | 6.5 |
| 2019-12-23 | CVE-2019-11046 | Out-of-bounds Read vulnerability in multiple products In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. | 5.3 |
| 2019-12-23 | CVE-2019-11045 | Injection vulnerability in multiple products In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. | 5.9 |
| 2019-12-23 | CVE-2019-11044 | In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. | 7.5 |