CVE-2024-1874
29.04.2024, 04:15
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.Enginsight
| Vendor | Product | Version |
|---|---|---|
| php | php | 8.1.0 ≤ 𝑥 < 8.1.28 |
| php | php | 8.2.0 ≤ 𝑥 < 8.2.18 |
| php | php | 8.3.0 ≤ 𝑥 < 8.3.5 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| php8.2 |
| ||||||||||||||
| php5 |
| ||||||||||||||
| php7.0 |
| ||||||||||||||
| php7.2 |
| ||||||||||||||
| php7.4 |
| ||||||||||||||
| php8.1 |
| ||||||||||||||
| php8.3 |
|
References