Total
706 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2006-4433 | 1 Php | 1 Php | 2024-02-28 | 7.5 HIGH | N/A |
PHP before 4.4.3 and 5.x before 5.1.4 does not limit the character set of the session identifier (PHPSESSID) for third party session handlers, which might make it easier for remote attackers to exploit other vulnerabilities by inserting PHP code into the PHPSESSID, which is stored in the session file. NOTE: it could be argued that this not a vulnerability in PHP itself, rather a design limitation that enables certain attacks against session handlers that do not account for this limitation. | |||||
CVE-2006-1017 | 1 Php | 1 Php | 2024-02-28 | 9.3 HIGH | N/A |
The c-client library 2000, 2001, or 2004 for PHP before 4.4.4 and 5.x before 5.1.5 do not check the (1) safe_mode or (2) open_basedir functions, and when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attackers to obtain access to an IMAP stream data structure and conduct unauthorized IMAP actions. | |||||
CVE-2006-0996 | 1 Php | 1 Php | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2 and 4.4.2 allows remote attackers to inject arbitrary web script or HTML via long array variables, including (1) a large number of dimensions or (2) long values, which prevents HTML tags from being removed. | |||||
CVE-2005-1043 | 6 Apple, Conectiva, Peachtree and 3 more | 7 Mac Os X, Mac Os X Server, Linux and 4 more | 2024-02-28 | 5.0 MEDIUM | N/A |
exif.c in PHP before 4.3.11 allows remote attackers to cause a denial of service (memory consumption and crash) via an EXIF header with a large IFD nesting level, which causes significant stack recursion. | |||||
CVE-2005-3353 | 1 Php | 1 Php | 2024-02-28 | 5.0 MEDIUM | N/A |
The exif_read_data function in the Exif module in PHP before 4.4.1 allows remote attackers to cause a denial of service (infinite loop) via a malformed JPEG image. | |||||
CVE-2006-0207 | 1 Php | 1 Php | 2024-02-28 | 5.0 MEDIUM | N/A |
Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function. | |||||
CVE-2006-4481 | 1 Php | 1 Php | 2024-02-28 | 7.2 HIGH | N/A |
The (1) file_exists and (2) imap_reopen functions in PHP before 5.1.5 do not check for the safe_mode and open_basedir settings, which allows local users to bypass the settings. NOTE: the error_log function is covered by CVE-2006-3011, and the imap_open function is covered by CVE-2006-1017. | |||||
CVE-2002-2309 | 1 Php | 1 Php | 2024-02-28 | 7.8 HIGH | N/A |
php.exe in PHP 3.0 through 4.2.2, when running on Apache, does not terminate properly, which allows remote attackers to cause a denial of service via a direct request without arguments. | |||||
CVE-2002-0986 | 1 Php | 1 Php | 2024-02-28 | 5.0 MEDIUM | N/A |
The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a "spam proxy." | |||||
CVE-2002-1954 | 1 Php | 1 Php | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.2.3 allows remote attackers to inject arbitrary web script or HTML via the query string argument, as demonstrated using soinfo.php. | |||||
CVE-2002-0253 | 1 Php | 1 Php | 2024-02-28 | 5.0 MEDIUM | N/A |
PHP, when not configured with the "display_errors = Off" setting in php.ini, allows remote attackers to obtain the physical path for an include file via a trailing slash in a request to a directly accessible PHP program, which modifies the base path, causes the include directive to fail, and produces an error message that contains the path. | |||||
CVE-2001-1247 | 1 Php | 1 Php | 2024-02-28 | 6.4 MEDIUM | N/A |
PHP 4.0.4pl1 and 4.0.5 in safe mode allows remote attackers to read and write files owned by the web server UID by uploading a PHP script that uses the error_log function to access the files. | |||||
CVE-2000-0059 | 1 Php | 1 Php | 2024-02-28 | 10.0 HIGH | N/A |
PHP3 with safe_mode enabled does not properly filter shell metacharacters from commands that are executed by popen, which could allow remote attackers to execute commands. | |||||
CVE-2003-0442 | 2 Php, Redhat | 2 Php, Linux | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter. | |||||
CVE-2004-0595 | 4 Avaya, Php, Redhat and 1 more | 8 Converged Communications Server, Integrated Management, S8300 and 5 more | 2024-02-28 | 6.8 MEDIUM | N/A |
The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities. | |||||
CVE-2004-0959 | 1 Php | 1 Php | 2024-02-28 | 2.1 LOW | N/A |
rfc1867.c in PHP before 5.0.2 allows local users to upload files to arbitrary locations via a PHP script with a certain MIME header that causes the "$_FILES" array to be modified. | |||||
CVE-2001-0108 | 2 Mandrakesoft, Php | 2 Mandrake Linux, Php | 2024-02-28 | 5.0 MEDIUM | N/A |
PHP Apache module 4.0.4 and earlier allows remote attackers to bypass .htaccess access restrictions via a malformed HTTP request on an unrestricted page that causes PHP to use those access controls on the next page that is requested. | |||||
CVE-2003-0097 | 1 Php | 1 Php | 2024-02-28 | 7.5 HIGH | N/A |
Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to access arbitrary files as the PHP user, and possibly execute PHP code, by bypassing the CGI force redirect settings (cgi.force_redirect or --enable-force-cgi-redirect). | |||||
CVE-2002-0717 | 1 Php | 1 Php | 2024-02-28 | 7.5 HIGH | N/A |
PHP 4.2.0 and 4.2.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP POST request with certain arguments in a multipart/form-data form, which generates an error condition that is not properly handled and causes improper memory to be freed. | |||||
CVE-1999-0238 | 1 Php | 1 Php | 2024-02-28 | 10.0 HIGH | N/A |
php.cgi allows attackers to read any file on the system. |