Vulnerabilities > PHP > PHP > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-05-24 | CVE-2017-9224 | Out-of-bounds Read vulnerability in multiple products An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. | 7.5 |
| 2017-05-21 | CVE-2017-9119 | Resource Exhaustion vulnerability in multiple products The i_zval_ptr_dtor function in Zend/zend_variables.h in PHP 7.1.5 allows attackers to cause a denial of service (memory consumption and application crash) or possibly have unspecified other impact by triggering crafted operations on array data structures. | 7.5 |
| 2017-05-12 | CVE-2017-8923 | Out-of-bounds Write vulnerability in PHP The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string. | 7.5 |
| 2017-04-21 | CVE-2016-5399 | Out-of-bounds Write vulnerability in PHP The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive. | 7.8 |
| 2017-04-19 | CVE-2017-7963 | Allocation of Resources Without Limits or Throttling vulnerability in PHP The GNU Multiple Precision Arithmetic Library (GMP) interfaces for PHP through 7.1.4 allow attackers to cause a denial of service (memory consumption and application crash) via operations on long strings. | 7.5 |
| 2017-04-03 | CVE-2017-6441 | NULL Pointer Dereference vulnerability in PHP 7.1.2 The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of "declare(ticks=" in a PHP script. | 7.5 |
| 2017-01-24 | CVE-2016-10160 | Off-by-one Error vulnerability in multiple products Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch. | 7.5 |
| 2017-01-12 | CVE-2016-7479 | Use After Free vulnerability in PHP In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may lead to use-after-free. | 7.5 |
| 2017-01-11 | CVE-2016-7480 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data. | 7.5 |
| 2017-01-11 | CVE-2017-5340 | Integer Overflow or Wraparound vulnerability in multiple products Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data. | 7.5 |