Vulnerabilities > PHP > PHP > Low
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-09-09 | CVE-2020-7068 | Use After Free vulnerability in multiple products In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure. | 3.3 |
2018-04-29 | CVE-2018-10545 | Information Exposure vulnerability in PHP An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. | 1.9 |
2014-09-27 | CVE-2014-5459 | Link Following vulnerability in multiple products The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions. | 3.6 |
2012-08-06 | CVE-2012-3450 | Unspecified vulnerability in PHP pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during parsing of prepared statements, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted parameter value. | 2.6 |
2009-03-03 | CVE-2009-0754 | USE of Externally-Controlled Format String vulnerability in PHP 4.4.4/5.1.6 PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. | 2.1 |
2009-01-02 | CVE-2008-5814 | Cross-Site Scripting vulnerability in PHP Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2.6 |
2007-11-20 | CVE-2007-6039 | Improper Input Validation vulnerability in PHP PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in (1) the domain parameter to the dgettext function, the message parameter to the (2) dcgettext or (3) gettext function, the msgid1 parameter to the (4) dngettext or (5) ngettext function, or (6) the classname parameter to the stream_wrapper_register function. | 2.1 |
2007-05-09 | CVE-2007-2509 | Improper Input Validation vulnerability in PHP CRLF injection vulnerability in the ftp_putcmd function in PHP before 4.4.7, and 5.x before 5.2.2 allows remote attackers to inject arbitrary FTP commands via CRLF sequences in the parameters to earlier FTP commands. | 2.6 |
2006-09-12 | CVE-2006-4625 | Unspecified vulnerability in PHP PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass certain Apache HTTP Server httpd.conf options, such as safe_mode and open_basedir, via the ini_restore function, which resets the values to their php.ini (Master Value) defaults. | 3.6 |
2006-08-31 | CVE-2006-4484 | Input Validation vulnerability in PHP Buffer overflow in the LWZReadByte_ function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array. | 2.6 |