Vulnerabilities > PHP > High

DATE CVE VULNERABILITY TITLE RISK
2017-04-19 CVE-2017-7963 Allocation of Resources Without Limits or Throttling vulnerability in PHP
The GNU Multiple Precision Arithmetic Library (GMP) interfaces for PHP through 7.1.4 allow attackers to cause a denial of service (memory consumption and application crash) via operations on long strings.
network
low complexity
php CWE-770
7.5
2017-04-03 CVE-2017-6441 NULL Pointer Dereference vulnerability in PHP 7.1.2
The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of "declare(ticks=" in a PHP script.
network
low complexity
php CWE-476
7.5
2017-03-27 CVE-2017-7272 Server-Side Request Forgery (SSRF) vulnerability in PHP
PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained.
network
low complexity
php CWE-918
7.4
2017-03-02 CVE-2015-8994 Permissions, Privileges, and Access Controls vulnerability in PHP
An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled.
network
high complexity
php CWE-264
7.5
2017-02-01 CVE-2017-5630 Injection vulnerability in PHP Pear 1.10.1
PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.
network
low complexity
php CWE-74
7.5
2017-01-24 CVE-2016-10162 NULL Pointer Dereference vulnerability in PHP
The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.
network
low complexity
php CWE-476
7.5
2017-01-24 CVE-2016-10161 Out-of-bounds Read vulnerability in PHP
The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call.
network
low complexity
php CWE-125
7.5
2017-01-24 CVE-2016-10159 Integer Overflow or Wraparound vulnerability in multiple products
Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive.
network
low complexity
php debian CWE-190
7.5
2017-01-24 CVE-2016-10158 Numeric Errors vulnerability in PHP
The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable negative integer by -1.
network
low complexity
php CWE-189
7.5
2017-01-11 CVE-2016-7478 Unspecified vulnerability in PHP
Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876.
network
low complexity
php
7.5