VYPR

PHP

by PHP

Source repositories

CVEs (731)

  • CVE-2013-7327Feb 18, 2014
    risk 0.00cvss epss 0.03

    The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL…

  • CVE-2013-7226Feb 18, 2014
    risk 0.00cvss epss 0.07

    Integer overflow in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an imagecrop function call with a large x dimension value, leading to a…

  • CVE-2012-1171Feb 15, 2014
    risk 0.00cvss epss 0.03

    The libxml RSHUTDOWN function in PHP 5.x allows remote attackers to bypass the open_basedir protection mechanism and read arbitrary files via vectors involving a stream_close method call during use of a custom stream wrapper.

  • CVE-2013-6712Nov 28, 2013
    risk 0.00cvss epss 0.05

    The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification.

  • CVE-2013-1824Sep 16, 2013
    risk 0.00cvss epss 0.04

    The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the…

  • CVE-2013-4248Aug 18, 2013
    risk 0.00cvss epss 0.04

    The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to…

  • CVE-2011-4718Aug 13, 2013
    risk 0.00cvss epss 0.04

    Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID.

  • CVE-2013-4113Jul 13, 2013
    risk 0.00cvss epss 0.05

    ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct…

  • CVE-2013-4636Jun 21, 2013
    risk 0.00cvss epss 0.02

    The mget function in libmagic/softmagic.c in the Fileinfo component in PHP 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via an MP3 file that triggers incorrect MIME type detection during access to an…

  • CVE-2013-4635Jun 21, 2013
    risk 0.00cvss epss 0.04

    Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function.

  • CVE-2012-6113Jan 19, 2013
    risk 0.00cvss epss 0.03

    The openssl_encrypt function in ext/openssl/openssl.c in PHP 5.3.9 through 5.3.13 does not initialize a certain variable, which allows remote attackers to obtain sensitive information from process memory by providing zero bytes of input data.

  • CVE-2012-4388Sep 7, 2012
    risk 0.00cvss epss 0.04

    The sapi_header_op function in main/SAPI.c in PHP 5.4.0RC2 through 5.4.0 does not properly determine a pointer during checks for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted…

  • CVE-2012-2317Aug 7, 2012
    risk 0.00cvss epss 0.02

    The Debian php_crypt_revamped.patch patch for PHP 5.3.x, as used in the php5 package before 5.3.3-7+squeeze4 in Debian GNU/Linux squeeze, the php5 package before 5.3.2-1ubuntu4.17 in Ubuntu 10.04 LTS, and the php5 package before 5.3.5-1ubuntu7.10 in Ubuntu 11.04, does not…

  • CVE-2012-3365Jul 20, 2012
    risk 0.00cvss epss 0.03

    The SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism via unspecified vectors.

  • CVE-2012-2143Jul 5, 2012
    risk 0.00cvss epss 0.06

    The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to…

  • CVE-2012-0057Feb 2, 2012
    risk 0.00cvss epss 0.03

    PHP before 5.3.9 has improper libxslt security settings, which allows remote attackers to create arbitrary files via a crafted XSLT stylesheet that uses the libxslt output extension.

  • CVE-2011-3379Nov 3, 2011
    risk 0.00cvss epss 0.05

    The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the __autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders.

  • CVE-2011-3268Aug 25, 2011
    risk 0.00cvss epss 0.06

    Buffer overflow in the crypt function in PHP before 5.3.7 allows context-dependent attackers to have an unspecified impact via a long salt argument, a different vulnerability than CVE-2011-2483.

  • CVE-2011-3267Aug 25, 2011
    risk 0.00cvss epss 0.03

    PHP before 5.3.7 does not properly implement the error_log function, which allows context-dependent attackers to cause a denial of service (application crash) via unspecified vectors.

  • CVE-2011-3189Aug 25, 2011
    risk 0.00cvss epss 0.04

    The crypt function in PHP 5.3.7, when the MD5 hash type is used, returns the value of the salt argument instead of the hashed string, which might allow remote attackers to bypass authentication via an arbitrary password, a different vulnerability than CVE-2011-2483.

Page 28 of 37