Vulnerabilities > PHP > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-07-30 | CVE-2021-32610 | Link Following vulnerability in multiple products In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193. | 7.1 |
2021-01-18 | CVE-2020-36193 | Link Following vulnerability in multiple products Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. | 7.5 |
2020-11-19 | CVE-2020-28949 | Injection vulnerability in multiple products Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. | 7.8 |
2020-11-19 | CVE-2020-28948 | Deserialization of Untrusted Data vulnerability in multiple products Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. | 7.8 |
2020-02-12 | CVE-2011-3336 | Resource Exhaustion vulnerability in multiple products regcomp in the BSD implementation of libc is vulnerable to denial of service due to stack exhaustion. | 7.8 |
2019-12-23 | CVE-2019-11044 | In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. | 7.5 |
2019-11-26 | CVE-2011-1939 | SQL Injection vulnerability in multiple products SQL injection vulnerability in Zend Framework 1.10.x before 1.10.9 and 1.11.x before 1.11.6 when using non-ASCII-compatible encodings in conjunction PDO_MySql in PHP before 5.3.6. | 7.5 |
2019-11-25 | CVE-2019-19246 | Out-of-bounds Read vulnerability in multiple products Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c. | 7.5 |
2019-09-06 | CVE-2016-7398 | Incorrect Type Conversion or Cast vulnerability in PHP Ext-Http A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests. | 7.5 |
2019-08-09 | CVE-2019-11042 | Out-of-bounds Read vulnerability in multiple products When PHP EXIF extension is parsing EXIF information from an image, e.g. | 7.1 |