Vulnerabilities > PHP > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2017-04-19 | CVE-2017-7963 | Allocation of Resources Without Limits or Throttling vulnerability in PHP The GNU Multiple Precision Arithmetic Library (GMP) interfaces for PHP through 7.1.4 allow attackers to cause a denial of service (memory consumption and application crash) via operations on long strings. | 7.5 |
2017-04-03 | CVE-2017-6441 | NULL Pointer Dereference vulnerability in PHP 7.1.2 The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of "declare(ticks=" in a PHP script. | 7.5 |
2017-03-27 | CVE-2017-7272 | Server-Side Request Forgery (SSRF) vulnerability in PHP PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. | 7.4 |
2017-03-02 | CVE-2015-8994 | Permissions, Privileges, and Access Controls vulnerability in PHP An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. | 7.5 |
2017-02-01 | CVE-2017-5630 | Injection vulnerability in PHP Pear 1.10.1 PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite. | 7.5 |
2017-01-24 | CVE-2016-10162 | NULL Pointer Dereference vulnerability in PHP The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call. | 7.5 |
2017-01-24 | CVE-2016-10161 | Out-of-bounds Read vulnerability in PHP The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call. | 7.5 |
2017-01-24 | CVE-2016-10159 | Integer Overflow or Wraparound vulnerability in multiple products Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive. | 7.5 |
2017-01-24 | CVE-2016-10158 | Numeric Errors vulnerability in PHP The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divide the minimum representable negative integer by -1. | 7.5 |
2017-01-11 | CVE-2016-7478 | Unspecified vulnerability in PHP Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876. | 7.5 |