Vulnerabilities > PHP > High

DATE CVE VULNERABILITY TITLE RISK
2019-03-09 CVE-2019-9637 Permissions, Privileges, and Access Controls vulnerability in multiple products
An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3.
network
low complexity
php debian canonical opensuse netapp CWE-264
7.5
2019-02-22 CVE-2019-9024 Out-of-bounds Read vulnerability in multiple products
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1.
network
low complexity
php debian canonical netapp opensuse CWE-125
7.5
2019-02-22 CVE-2019-9022 Out-of-bounds Read vulnerability in multiple products
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2.
network
low complexity
php debian canonical netapp CWE-125
7.5
2019-02-21 CVE-2018-20783 Out-of-bounds Read vulnerability in multiple products
In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse a .phar file.
network
low complexity
php opensuse CWE-125
7.5
2019-01-27 CVE-2019-6977 Out-of-bounds Write vulnerability in multiple products
gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow.
network
low complexity
libgd php debian canonical netapp CWE-787
8.8
2018-12-28 CVE-2018-1000888 Deserialization of Untrusted Data vulnerability in multiple products
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class.
network
low complexity
php canonical debian CWE-502
8.8
2018-12-07 CVE-2018-19935 NULL Pointer Dereference vulnerability in multiple products
ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function.
network
low complexity
php debian CWE-476
7.5
2018-11-25 CVE-2018-19520 Code Injection vulnerability in multiple products
An issue was discovered in SDCMS 1.6 with PHP 5.x.
network
low complexity
sdcms php CWE-94
8.8
2018-11-25 CVE-2018-19518 Argument Injection or Modification vulnerability in multiple products
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics.
network
high complexity
php debian uw-imap-project canonical CWE-88
7.5
2018-11-20 CVE-2018-19396 Deserialization of Untrusted Data vulnerability in PHP
ext/standard/var_unserializer.c in PHP 5.x through 7.1.24 allows attackers to cause a denial of service (application crash) via an unserialize call for the com, dotnet, or variant class.
network
low complexity
php CWE-502
7.5