Search CVE reports
11 – 20 of 656 results
Some fixes available 5 of 7
In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other...
6 affected packages
php5, php7.0, php7.2, php7.4, php8.1, php8.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| php5 | Not in release | Not in release | Not in release | — |
| php7.0 | Not in release | Not in release | Not in release | — |
| php7.2 | Not in release | Not in release | Not in release | Needs evaluation |
| php7.4 | Not in release | Not in release | Fixed | — |
| php8.1 | Not in release | Fixed | Not in release | — |
| php8.3 | Fixed | Not in release | Not in release | — |
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of...
6 affected packages
php8.1, php5, php7.0, php7.2, php7.4, php8.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| php8.1 | Not in release | Fixed | Not in release | — |
| php5 | Not in release | Not in release | Not in release | — |
| php7.0 | Not in release | Not in release | Not in release | — |
| php7.2 | Not in release | Not in release | Not in release | Fixed |
| php7.4 | Not in release | Not in release | Fixed | — |
| php8.3 | Fixed | Not in release | Not in release | — |
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3...
6 affected packages
php5, php7.0, php7.2, php7.4, php8.1, php8.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| php5 | Not in release | Not in release | Not in release | — |
| php7.0 | Not in release | Not in release | Not in release | — |
| php7.2 | Not in release | Not in release | Not in release | Not affected |
| php7.4 | Not in release | Not in release | Not affected | — |
| php8.1 | Not in release | Not affected | Not in release | — |
| php8.3 | Not affected | Not in release | Not in release | — |
In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to...
6 affected packages
php5, php7.0, php7.2, php7.4, php8.1, php8.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| php5 | Not in release | Not in release | Not in release | — |
| php7.0 | Not in release | Not in release | Not in release | — |
| php7.2 | Not in release | Not in release | Not in release | Fixed |
| php7.4 | Not in release | Not in release | Fixed | — |
| php8.1 | Not in release | Fixed | Not in release | — |
| php8.3 | Fixed | Not in release | Not in release | — |
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax,...
7 affected packages
php5, php7.0, php7.2, php7.4, php8.1...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| php5 | Not in release | Not in release | Not in release | — |
| php7.0 | Not in release | Not in release | Not in release | — |
| php7.2 | Not in release | Not in release | Not in release | Not affected |
| php7.4 | Not in release | Not in release | Not affected | — |
| php8.1 | Not in release | Not affected | Not in release | — |
| php8.2 | Not in release | Not in release | Not in release | — |
| php8.3 | Not affected | Not in release | Not in release | — |
Some fixes available 7 of 8
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will...
7 affected packages
php5, php7.0, php7.2, php7.4, php8.1...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| php5 | Not in release | Not in release | Not in release | — |
| php7.0 | Not in release | Not in release | Not in release | — |
| php7.2 | Not in release | Not in release | Not in release | Fixed |
| php7.4 | Not in release | Not in release | Fixed | — |
| php8.1 | Not in release | Fixed | Not in release | — |
| php8.2 | Not in release | Not in release | Not in release | — |
| php8.3 | Fixed | Not in release | Not in release | — |
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters...
7 affected packages
php5, php7.0, php7.2, php7.4, php8.1...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| php5 | Not in release | Not in release | Not in release | — |
| php7.0 | Not in release | Not in release | Not in release | — |
| php7.2 | Not in release | Not in release | Not in release | Not affected |
| php7.4 | Not in release | Not in release | Not affected | — |
| php8.1 | Not in release | Not affected | Not in release | — |
| php8.2 | Not in release | Not in release | Not in release | — |
| php8.3 | Not affected | Not in release | Not in release | — |
Some fixes available 7 of 8
In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly...
7 affected packages
php5, php7.0, php7.2, php7.4, php8.1...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| php5 | Not in release | Not in release | Not in release | — |
| php7.0 | Not in release | Not in release | Not in release | — |
| php7.2 | Not in release | Not in release | Not in release | Fixed |
| php7.4 | Not in release | Not in release | Fixed | — |
| php8.1 | Not in release | Fixed | Not in release | — |
| php8.2 | Not in release | Not in release | Not in release | Not in release |
| php8.3 | Fixed | Not in release | Not in release | Not in release |
In PHP 8.3.* before 8.3.5, function mb_encode_mimeheader() runs endlessly for some inputs that contain long strings of non-space characters followed by a space. This could lead to a potential DoS attack if a hostile user sends...
7 affected packages
php5, php7.0, php7.2, php7.4, php8.1...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| php5 | Not in release | Not in release | Not in release | — |
| php7.0 | Not in release | Not in release | Not in release | — |
| php7.2 | Not in release | Not in release | Not in release | Not affected |
| php7.4 | Not in release | Not in release | Not affected | — |
| php8.1 | Not in release | Not affected | Not in release | — |
| php8.2 | Not in release | Not in release | Not in release | Not in release |
| php8.3 | Fixed | Not in release | Not in release | Not in release |
Some fixes available 7 of 8
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or...
7 affected packages
php5, php7.0, php7.2, php7.4, php8.1...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| php5 | Not in release | Not in release | Not in release | — |
| php7.0 | Not in release | Not in release | Not in release | — |
| php7.2 | Not in release | Not in release | Not in release | Fixed |
| php7.4 | Not in release | Not in release | Fixed | — |
| php8.1 | Not in release | Fixed | Not in release | — |
| php8.2 | Not in release | Not in release | Not in release | Not in release |
| php8.3 | Fixed | Not in release | Not in release | Not in release |