Max CVSS 7.5 Min CVSS 4.3 Total Count37
IDCVSSSummaryLast (major) updatePublished
CVE-2018-5712 4.3
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
16-01-2018 - 04:29 16-01-2018 - 04:29
CVE-2018-5711 4.3
gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated
16-01-2018 - 04:29 16-01-2018 - 04:29
CVE-2017-16642 5.0
In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the in
07-11-2017 - 16:29 07-11-2017 - 16:29
CVE-2017-12934 5.0
ext/standard/var_unserializer.re in PHP 7.0.x before 7.0.21 and 7.1.x before 7.1.7 is prone to a heap use after free while unserializing untrusted data, related to the zval_get_type function in Zend/zend_types.h. Exploitation of this issue can have a
17-08-2017 - 23:29 17-08-2017 - 23:29
CVE-2017-12933 7.5
The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecifie
17-08-2017 - 23:29 17-08-2017 - 23:29
CVE-2017-12932 7.5
ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x through 7.1.8 is prone to a heap use after free while unserializing untrusted data, related to improper use of the hash API for key deletion in a situation with an invalid array s
17-08-2017 - 23:29 17-08-2017 - 23:29
CVE-2017-7890 4.3
The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitia
02-08-2017 - 15:29 02-08-2017 - 15:29
CVE-2017-11628 6.8
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of service or potentially allow executing code. NOTE: this is only relevant
25-07-2017 - 19:29 25-07-2017 - 19:29
CVE-2017-11362 7.5
In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/msgformat_parse.c does not restrict the locale length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have
17-07-2017 - 09:18 17-07-2017 - 09:18
CVE-2017-11147 6.4
In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile fu
10-07-2017 - 10:29 10-07-2017 - 10:29
CVE-2017-11145 5.0
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/p
10-07-2017 - 10:29 10-07-2017 - 10:29
CVE-2017-11144 5.0
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation c
10-07-2017 - 10:29 10-07-2017 - 10:29
CVE-2017-11143 5.0
In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wdd
10-07-2017 - 10:29 10-07-2017 - 10:29
CVE-2017-9229 5.0
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_
24-05-2017 - 11:29 24-05-2017 - 11:29
CVE-2017-9228 7.5
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variab
24-05-2017 - 11:29 24-05-2017 - 11:29
CVE-2017-9227 7.5
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in for
24-05-2017 - 11:29 24-05-2017 - 11:29
CVE-2017-9226 7.5
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger th
24-05-2017 - 11:29 24-05-2017 - 11:29
CVE-2017-9224 7.5
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of vali
24-05-2017 - 11:29 24-05-2017 - 11:29
CVE-2016-10167 4.3
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.
16-03-2017 - 14:48 15-03-2017 - 11:59
CVE-2016-10168 6.8
Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image.
16-03-2017 - 14:31 15-03-2017 - 11:59
CVE-2016-10162 5.0
The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacke
27-01-2017 - 21:59 24-01-2017 - 16:59
CVE-2016-10161 5.0
The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data
27-01-2017 - 13:12 24-01-2017 - 16:59
CVE-2016-10160 7.5
Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archiv
27-01-2017 - 13:12 24-01-2017 - 16:59
CVE-2016-10159 5.0
Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PH
27-01-2017 - 12:53 24-01-2017 - 16:59
CVE-2016-10158 5.0
The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted EXIF data that triggers an attempt to divid
27-01-2017 - 12:53 24-01-2017 - 16:59
CVE-2016-9936 7.5
The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exist
17-01-2017 - 21:59 04-01-2017 - 15:59
CVE-2016-9935 7.5
The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty bo
17-01-2017 - 21:59 04-01-2017 - 15:59
CVE-2016-9934 5.0
ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.
17-01-2017 - 21:59 04-01-2017 - 15:59
CVE-2016-9933 5.0
Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation vi
17-01-2017 - 21:59 04-01-2017 - 15:59
CVE-2016-7479 7.5
In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution.
13-01-2017 - 11:01 11-01-2017 - 19:59
CVE-2017-5340 7.5
Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory a
12-01-2017 - 21:59 11-01-2017 - 01:59
CVE-2016-7418 5.0
The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an inc
28-11-2016 - 15:39 17-09-2016 - 17:59
CVE-2016-7417 7.5
ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impac
28-11-2016 - 15:39 17-09-2016 - 17:59
CVE-2016-7416 5.0
ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application cra
28-11-2016 - 15:39 17-09-2016 - 17:59
CVE-2016-7414 7.5
The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possib
28-11-2016 - 15:39 17-09-2016 - 17:59
CVE-2016-7413 7.5
Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document
28-11-2016 - 15:39 17-09-2016 - 17:59
CVE-2016-7412 6.8
ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have un
28-11-2016 - 15:39 17-09-2016 - 17:59
Back to Top Mark selected
Back to Top