rpm package
opensuse/php7&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/php7&distro=openSUSE%20Tumbleweed
Vulnerabilities (121)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2010-4645 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Jan 11, 2011 | strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and 5.3 before 5.3.5, and other products, allows context-dependent attackers to cause a denial of service (infinite loop) via a certain floating-point value in scientific notation, which is not properly handle | ||
| CVE-2010-4150 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Dec 7, 2010 | Double free vulnerability in the imap_do_open function in the IMAP extension (ext/imap/php_imap.c) in PHP 5.2 before 5.2.15 and 5.3 before 5.3.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. | ||
| CVE-2010-3709 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Nov 9, 2010 | The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ZIP archive. | ||
| CVE-2010-3436 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Nov 9, 2010 | fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions via vectors related to the length of a filename. | ||
| CVE-2010-3710 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Oct 25, 2010 | Stack consumption vulnerability in the filter_var function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows remote attackers to cause a denial of service (memory consumption and application crash) via a long e-mail address strin | ||
| CVE-2010-2950 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Sep 28, 2010 | Format string vulnerability in stream.c in the phar extension in PHP 5.3.x through 5.3.3 allows context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the phar_str | ||
| CVE-2010-2225 | — | < 7.0.14-1.4 | 7.0.14-1.4 | Jun 24, 2010 | Use-after-free vulnerability in the SplObjectStorage unserializer in PHP 5.2.x and 5.3.x through 5.3.2 allows remote attackers to execute arbitrary code or obtain sensitive information via serialized data, related to the PHP unserialize function. | ||
| CVE-2008-0599 | Cri | 9.8 | < 7.4.24-1.1 | 7.4.24-1.1 | May 5, 2008 | The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI. | |
| CVE-2007-4887 | — | < 7.4.24-1.1 | 7.4.24-1.1 | Sep 14, 2007 | The dl function in PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in the library parameter. NOTE: there are limited usage scenarios under which this would be a vulnerability. | ||
| CVE-2007-4783 | — | < 7.4.24-1.1 | 7.4.24-1.1 | Sep 10, 2007 | The iconv_substr function in PHP 5.2.4 and earlier allows context-dependent attackers to cause (1) a denial of service (application crash) via a long string in the charset parameter, probably also requiring a long string in the str parameter; or (2) a denial of service (temporary | ||
| CVE-2006-1991 | — | < 7.4.24-1.1 | 7.4.24-1.1 | Apr 24, 2006 | The substr_compare function in string.c in PHP 5.1.2 allows context-dependent attackers to cause a denial of service (memory access violation) via an out-of-bounds offset argument. | ||
| CVE-2006-1494 | — | < 7.4.24-1.1 | 7.4.24-1.1 | Apr 10, 2006 | Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function. | ||
| CVE-2006-0996 | — | < 7.4.24-1.1 | 7.4.24-1.1 | Apr 10, 2006 | Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2 and 4.4.2 allows remote attackers to inject arbitrary web script or HTML via long array variables, including (1) a large number of dimensions or (2) long values, which prevents HTML tags from being removed. | ||
| CVE-2006-1490 | — | < 7.4.24-1.1 | 7.4.24-1.1 | Mar 29, 2006 | PHP before 5.1.3-RC1 might allow remote attackers to obtain portions of memory via crafted binary data sent to a script that processes user input in the html_entity_decode function and sends the encoded results back to the client, aka a "binary safety" issue. NOTE: this issue ha | ||
| CVE-2006-1017 | — | < 7.4.24-1.1 | 7.4.24-1.1 | Mar 7, 2006 | The c-client library 2000, 2001, or 2004 for PHP before 4.4.4 and 5.x before 5.1.5 do not check the (1) safe_mode or (2) open_basedir functions, and when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attack | ||
| CVE-2005-3353 | — | < 7.4.24-1.1 | 7.4.24-1.1 | Nov 18, 2005 | The exif_read_data function in the Exif module in PHP before 4.4.1 allows remote attackers to cause a denial of service (infinite loop) via a malformed JPEG image. | ||
| CVE-2005-3392 | — | < 7.4.24-1.1 | 7.4.24-1.1 | Nov 1, 2005 | Unspecified vulnerability in PHP before 4.4.1, when using the virtual function on Apache 2, allows remote attackers to bypass safe_mode and open_basedir directives. | ||
| CVE-2005-3391 | — | < 7.4.24-1.1 | 7.4.24-1.1 | Nov 1, 2005 | Multiple vulnerabilities in PHP before 4.4.1 allow remote attackers to bypass safe_mode and open_basedir restrictions via unknown attack vectors in (1) ext/curl and (2) ext/gd. | ||
| CVE-2005-3390 | — | < 7.4.24-1.1 | 7.4.24-1.1 | Nov 1, 2005 | The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to modify the GLOBALS array and bypass security protections of PHP applications via a multipart/form-data POST request with a "GLOBALS" fileupload | ||
| CVE-2005-3389 | — | < 7.4.24-1.1 | 7.4.24-1.1 | Nov 1, 2005 | The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the register_globals directive via inputs that cause a request to be terminated due to the memory_limit setting, which causes PHP to set an in |
- CVE-2010-4645Jan 11, 2011affected < 7.0.14-1.4fixed 7.0.14-1.4
strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and 5.3 before 5.3.5, and other products, allows context-dependent attackers to cause a denial of service (infinite loop) via a certain floating-point value in scientific notation, which is not properly handle
- CVE-2010-4150Dec 7, 2010affected < 7.0.14-1.4fixed 7.0.14-1.4
Double free vulnerability in the imap_do_open function in the IMAP extension (ext/imap/php_imap.c) in PHP 5.2 before 5.2.15 and 5.3 before 5.3.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors.
- CVE-2010-3709Nov 9, 2010affected < 7.0.14-1.4fixed 7.0.14-1.4
The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ZIP archive.
- CVE-2010-3436Nov 9, 2010affected < 7.0.14-1.4fixed 7.0.14-1.4
fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions via vectors related to the length of a filename.
- CVE-2010-3710Oct 25, 2010affected < 7.0.14-1.4fixed 7.0.14-1.4
Stack consumption vulnerability in the filter_var function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows remote attackers to cause a denial of service (memory consumption and application crash) via a long e-mail address strin
- CVE-2010-2950Sep 28, 2010affected < 7.0.14-1.4fixed 7.0.14-1.4
Format string vulnerability in stream.c in the phar extension in PHP 5.3.x through 5.3.3 allows context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the phar_str
- CVE-2010-2225Jun 24, 2010affected < 7.0.14-1.4fixed 7.0.14-1.4
Use-after-free vulnerability in the SplObjectStorage unserializer in PHP 5.2.x and 5.3.x through 5.3.2 allows remote attackers to execute arbitrary code or obtain sensitive information via serialized data, related to the PHP unserialize function.
- affected < 7.4.24-1.1fixed 7.4.24-1.1
The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI.
- CVE-2007-4887Sep 14, 2007affected < 7.4.24-1.1fixed 7.4.24-1.1
The dl function in PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in the library parameter. NOTE: there are limited usage scenarios under which this would be a vulnerability.
- CVE-2007-4783Sep 10, 2007affected < 7.4.24-1.1fixed 7.4.24-1.1
The iconv_substr function in PHP 5.2.4 and earlier allows context-dependent attackers to cause (1) a denial of service (application crash) via a long string in the charset parameter, probably also requiring a long string in the str parameter; or (2) a denial of service (temporary
- CVE-2006-1991Apr 24, 2006affected < 7.4.24-1.1fixed 7.4.24-1.1
The substr_compare function in string.c in PHP 5.1.2 allows context-dependent attackers to cause a denial of service (memory access violation) via an out-of-bounds offset argument.
- CVE-2006-1494Apr 10, 2006affected < 7.4.24-1.1fixed 7.4.24-1.1
Directory traversal vulnerability in file.c in PHP 4.4.2 and 5.1.2 allows local users to bypass open_basedir restrictions allows remote attackers to create files in arbitrary directories via the tempnam function.
- CVE-2006-0996Apr 10, 2006affected < 7.4.24-1.1fixed 7.4.24-1.1
Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2 and 4.4.2 allows remote attackers to inject arbitrary web script or HTML via long array variables, including (1) a large number of dimensions or (2) long values, which prevents HTML tags from being removed.
- CVE-2006-1490Mar 29, 2006affected < 7.4.24-1.1fixed 7.4.24-1.1
PHP before 5.1.3-RC1 might allow remote attackers to obtain portions of memory via crafted binary data sent to a script that processes user input in the html_entity_decode function and sends the encoded results back to the client, aka a "binary safety" issue. NOTE: this issue ha
- CVE-2006-1017Mar 7, 2006affected < 7.4.24-1.1fixed 7.4.24-1.1
The c-client library 2000, 2001, or 2004 for PHP before 4.4.4 and 5.x before 5.1.5 do not check the (1) safe_mode or (2) open_basedir functions, and when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attack
- CVE-2005-3353Nov 18, 2005affected < 7.4.24-1.1fixed 7.4.24-1.1
The exif_read_data function in the Exif module in PHP before 4.4.1 allows remote attackers to cause a denial of service (infinite loop) via a malformed JPEG image.
- CVE-2005-3392Nov 1, 2005affected < 7.4.24-1.1fixed 7.4.24-1.1
Unspecified vulnerability in PHP before 4.4.1, when using the virtual function on Apache 2, allows remote attackers to bypass safe_mode and open_basedir directives.
- CVE-2005-3391Nov 1, 2005affected < 7.4.24-1.1fixed 7.4.24-1.1
Multiple vulnerabilities in PHP before 4.4.1 allow remote attackers to bypass safe_mode and open_basedir restrictions via unknown attack vectors in (1) ext/curl and (2) ext/gd.
- CVE-2005-3390Nov 1, 2005affected < 7.4.24-1.1fixed 7.4.24-1.1
The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to modify the GLOBALS array and bypass security protections of PHP applications via a multipart/form-data POST request with a "GLOBALS" fileupload
- CVE-2005-3389Nov 1, 2005affected < 7.4.24-1.1fixed 7.4.24-1.1
The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the register_globals directive via inputs that cause a request to be terminated due to the memory_limit setting, which causes PHP to set an in
Page 6 of 7