Web Development

In PHP versions from 8.3.0 to before 8.3.19 and from 8.4.0 to before 8.4.5 a critical severity vulnerability CVE-2024-11235 was detected. This vulnerability allows attackers to run code remotely by triggering a memory bug with certain code and inputs. To address this issue, users should upgrade PHP to versions 8.3.19 or 8.4.5. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-11235.

In PHP versions up to 8.1.31, 8.2.27, 8.3.18 and 8.4.4 a medium severity vulnerability CVE-2025-1219 was detected. This vulnerability allows incorrect parsing of documents or bypassing of validations due to the wrong content-type header being used to determine the charset during HTTP redirects. To address this issue, users should upgrade PHP to versions 8.1.32, 8.2.28, 8.3.19, 8.4.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1219.

In PHP versions up to 8.1.31, 8.2.27, 8.3.18 and 8.4.4 a medium severity vulnerability CVE-2025-1734 was detected. This vulnerability allows invalid headers, specifically those missing a colon (:), to be incorrectly treated as valid headers, potentially leading to unexpected behavior or security vulnerabilities such as header injection attacks. To address this issue, users should upgrade PHP to versions 8.1.32, 8.2.28, 8.3.19, 8.4.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1734.

In PHP versions 8.1.* before 8.1.32, 8.2.* before 8.2.28, 8.3.* before 8.3.19 and 8.4.* before 8.4.5 a medium severity vulnerability CVE-2025-1217 was detected. This vulnerability causes incorrect parsing of folded HTTP headers in the HTTP request module, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc. To address this issue, users should upgrade PHP to versions 8.1.32, 8.2.28, 8.3.19, 8.4.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1217.

In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, and 8.2.* before 8.2.2 a critical severity vulnerability CVE-2022-31631 was detected. This vulnerability allows attackers to exploit improper quoting in the PDO::quote() function for SQLite, potentially leading to SQL injection when processing overly long strings. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-31631.

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, and 8.3.* before 8.3.14 a critical severity vulnerability CVE-2024-8932 was detected. This vulnerability allows attackers to cause an integer overflow through uncontrolled long string inputs to the ldap_escape() function on 32-bit systems, leading to an out-of-bounds write. To address this issue, users must upgrade to PHP versions 8.1.31, 8.2.26 or 8.3.14. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8932.

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, and 8.3.* before 8.3.14 a medium severity vulnerability CVE-2024-8929 was detected. This vulnerability allows attackers to exploit a malicious MySQL server to force the PHP client to reveal sensitive data from its memory, including information from other users. To address this issue, users must upgrade to PHP versions 8.1.31 or later, 8.2.26, or 8.3.14. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8929.

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, and 8.3.* before 8.3.14 a medium severity vulnerability CVE-2024-11234 was detected. This vulnerability allows attackers to perform HTTP request smuggling due to improper sanitization of the URI when using streams with a proxy and the “request_fulluri” option. This could allow attackers to send arbitrary requests from the server, potentially accessing restricted resources. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-11234.

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, and 8.3.* before 8.3.14 a medium severity vulnerability CVE-2024-11233 was detected. This vulnerability allows attackers to exploit an error in the convert.quoted-printable-decode filter, leading to a buffer overread by one byte. In certain cases, this can cause crashes or disclose content from other memory areas. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-11233.