prod
Sylius 1.14-dev
73 vulnérabilités ont été trouvés
1 paquets abandonnés ont été trouvés
Dernière analyse : il y a 22 heures
Pas de résultat.
73 vulnérabilités ont été trouvés
| # | Total | C | H | M | L | |
|---|---|---|---|---|---|---|
| Composer | 16 | 0 | 6 | 4 | 6 | 0 |
| Php/php | 32 | 4 | 10 | 9 | 2 | 7 |
| Apache/http_server | 25 | 2 | 6 | 2 | 0 | 15 |
Composer
high Twig has a possible sandbox bypass
Versions affectées : >=3.0.0,<3.14.0|>=2.0.0,<2.16.1|>=1.0.0,<1.44.8Versions patchées : 1.44.8 2.16.1 3.14.0
https://github.com/advisories/GHSA-6j75-5wfj-gh66
Signalée 09/09/2024
CVE-2024-45411
low Unguarded calls to __isset() and to array-accesses when the sandbox is enabled
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1Versions patchées : 3.11.2 3.14.1
https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled
Signalée 06/11/2024
CVE-2024-51755
low Unguarded calls to __toString() when nesting an object into an array
Versions affectées : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1Versions patchées : 3.11.2 3.14.1
https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array
Signalée 06/11/2024
CVE-2024-51754
1 symfony/http-client —— v6.4.7 +
low CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient
Versions affectées : >=4.3.0,<4.4.0|>=4.4.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50342
Signalée 05/11/2024
CVE-2024-50342
2 symfony/http-foundation —— v6.4.7 +
high CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.50|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.29|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.3.7Versions patchées : 5.4.50 6.4.29 7.3.7 5.4.50 6.4.29 7.3.7
https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
Signalée 12/11/2025
CVE-2025-64500
low CVE-2024-50345: Open redirect via browser-sanitized URLs
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50345
Signalée 05/11/2024
CVE-2024-50345
high CVE-2024-51736: Command execution hijack on Windows with Process class
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7Versions patchées : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-51736
Signalée 05/11/2024
CVE-2024-51736
1 symfony/security-bundle —— v6.4.7 +
low CVE-2024-50341: Security::login does not take into account custom user_checker
Versions affectées : >=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.10|>=7.0.0,<7.0.10|>=7.1.0,<7.1.3Versions patchées : 6.4.10 7.0.10 7.1.3 6.4.10 7.0.10 7.1.3
https://symfony.com/cve-2024-50341
Signalée 17/07/2024
CVE-2024-50341
1 symfony/validator —— v6.4.7 +
low CVE-2024-50343: Incorrect response from Validator when input ends with ` `
Versions affectées : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.43|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.11|>=7.0.0,<7.1.0|>=7.1.0,<7.1.4Versions patchées : 5.4.43 6.4.11 7.1.4 5.4.43 6.4.11 7.1.4
https://symfony.com/cve-2024-50343
Signalée 30/08/2024
CVE-2024-50343
1 symfony/security-http —— v6.4.7 +
high CVE-2024-51996: Authentication Bypass via persisted RememberMe cookie
Versions affectées : >=5.3.0,<5.4.0|>=5.4.0,<5.4.47|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.15|>=7.0.0,<7.1.0|>=7.1.0,<7.1.8Versions patchées : 5.4.47 6.4.15 7.1.8
https://symfony.com/cve-2024-51996
Signalée 13/11/2024
CVE-2024-51996
1 sylius/sylius —— 1.14.x-dev +
medium Sylius allows unrestricted brute-force attacks on user accounts
Versions affectées : <=2.0.2Versions patchées :
https://github.com/advisories/GHSA-2hjh-495w-hmxc
Signalée 06/02/2025
CVE-2024-57610
2 sylius/paypal-plugin —— v1.6.0 +
medium Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout
Versions affectées : >=2.0.0,<2.0.2|>=1.7.0,<1.7.2|<1.6.2Versions patchées : 1.6.2 1.7.2 2.0.2
https://github.com/advisories/GHSA-hxg4-65p5-9w37
Signalée 19/03/2025
CVE-2025-30152
medium Sylius PayPal Plugin Payment Amount Manipulation Vulnerability
Versions affectées : >=2.0.0,<2.0.1|>=1.7.0,<1.7.1|<1.6.1Versions patchées : 1.6.1 1.7.1 2.0.1
https://github.com/advisories/GHSA-pqq3-q84h-pj6x
Signalée 17/03/2025
CVE-2025-29788
2 api-platform/core —— v2.7.18 +
high GraphQL query operations security can be bypassed
Versions affectées : <4.0.22Versions patchées : 4.0.22 4.0.22
https://github.com/advisories/GHSA-cg3c-245w-728m
Signalée 04/04/2025
CVE-2025-31481
high GraphQL grant on a property might be cached with different objects
Versions affectées : <4.0.22Versions patchées : 4.0.22 4.0.22
https://github.com/advisories/GHSA-428q-q3vv-3fq3
Signalée 04/04/2025
CVE-2025-31485
1 enshrined/svg-sanitize —— 0.16.0 +
medium svg-sanitizer Bypasses Attribute Sanitization
Versions affectées : <0.22.0Versions patchées : 0.22.0
https://github.com/advisories/GHSA-22wq-q86m-83fh
Signalée 12/08/2025
CVE-2025-55166
Php/php
critical In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.
* [https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv](https://github.com/php/php-src/security/advisories/GHSA-jqcx-ccgc-xwhv)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/)
* [https://security.netapp.com/advisory/ntap-20230825-0001/](https://security.netapp.com/advisory/ntap-20230825-0001/)
* [https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html](https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html)
Signalée 11/08/2023
CVE-2023-3824
critical In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
* [https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv](https://github.com/php/php-src/security/advisories/GHSA-5hqh-c84r-qjcv)
Signalée 24/11/2024
CVE-2024-11236
critical In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
* [https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv](https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv)
* [https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html](https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html)
* [https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/](https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/)
* [https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/](https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/)
* [https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/](https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/)
* [https://github.com/11whoami99/CVE-2024-4577](https://github.com/11whoami99/CVE-2024-4577)
* [https://github.com/xcanwin/CVE-2024-4577-PHP-RCE](https://github.com/xcanwin/CVE-2024-4577-PHP-RCE)
* [https://github.com/rapid7/metasploit-framework/pull/19247](https://github.com/rapid7/metasploit-framework/pull/19247)
* [https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/](https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/)
* [https://github.com/watchtowrlabs/CVE-2024-4577](https://github.com/watchtowrlabs/CVE-2024-4577)
* [https://www.php.net/ChangeLog-8.php#8.1.29](https://www.php.net/ChangeLog-8.php#8.1.29)
* [https://www.php.net/ChangeLog-8.php#8.2.20](https://www.php.net/ChangeLog-8.php#8.2.20)
* [https://www.php.net/ChangeLog-8.php#8.3.8](https://www.php.net/ChangeLog-8.php#8.3.8)
* [https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately](https://cert.be/en/advisory/warning-php-remote-code-execution-patch-immediately)
* [https://isc.sans.edu/diary/30994](https://isc.sans.edu/diary/30994)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://security.netapp.com/advisory/ntap-20240621-0008/](https://security.netapp.com/advisory/ntap-20240621-0008/)
Signalée 09/06/2024
CVE-2024-4577
critical In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.
* [https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff](https://github.com/php/php-src/security/advisories/GHSA-52jp-hrpf-2jff)
* [https://security.netapp.com/advisory/ntap-20250523-0005/](https://security.netapp.com/advisory/ntap-20250523-0005/)
Signalée 30/03/2025
CVE-2025-1861
high In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.
* [https://bugs.php.net/bug.php?id=81746](https://bugs.php.net/bug.php?id=81746)
* [https://security.netapp.com/advisory/ntap-20230517-0001/](https://security.netapp.com/advisory/ntap-20230517-0001/)
Signalée 16/02/2023
CVE-2023-0568
high In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.
* [https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv](https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv)
* [https://security.netapp.com/advisory/ntap-20230517-0001/](https://security.netapp.com/advisory/ntap-20230517-0001/)
Signalée 16/02/2023
CVE-2023-0662
high In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.
* [https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr](https://github.com/php/php-src/security/advisories/GHSA-3qrf-m4j2-pcrr)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7NBF77WN6DTVTY2RE73IGPYD6M4PIAWA/)
* [https://security.netapp.com/advisory/ntap-20230825-0001/](https://security.netapp.com/advisory/ntap-20230825-0001/)
* [https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html](https://lists.debian.org/debian-lts-announce/2023/09/msg00002.html)
Signalée 11/08/2023
CVE-2023-3823
high In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, due to an error in convert.quoted-printable-decode filter certain data can lead to buffer overread by one byte, which can in certain circumstances lead to crashes or disclose content of other memory areas.
* [https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43](https://github.com/php/php-src/security/advisories/GHSA-r977-prxv-hc43)
Signalée 24/11/2024
CVE-2024-11233
high In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.
* [https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2](https://github.com/php/php-src/security/advisories/GHSA-c5f2-jwm7-mmq2)
Signalée 24/11/2024
CVE-2024-11234
high In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
* [https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385](https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
Signalée 09/06/2024
CVE-2024-5585
high In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
* [https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq](https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq)
Signalée 08/10/2024
CVE-2024-8926
high In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.
* [https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp](https://github.com/php/php-src/security/advisories/GHSA-94p6-54jq-9mwp)
Signalée 08/10/2024
CVE-2024-8927
high In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid.
* [https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3](https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3)
Signalée 13/07/2025
CVE-2025-1735
high In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when user-supplied headers are sent, the insufficient validation of the end-of-line characters may prevent certain headers from being sent or lead to certain headers be misinterpreted.
* [https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528](https://github.com/php/php-src/security/advisories/GHSA-hgf5-96fm-v528)
* [https://security.netapp.com/advisory/ntap-20250523-0006/](https://security.netapp.com/advisory/ntap-20250523-0006/)
Signalée 30/03/2025
CVE-2025-1736
medium The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Suhosin.
* [http://osvdb.org/39834](http://osvdb.org/39834)
* [http://securityreason.com/securityalert/2800](http://securityreason.com/securityalert/2800)
* [http://www.acid-root.new.fr/advisories/14070612.txt](http://www.acid-root.new.fr/advisories/14070612.txt)
* [http://www.securityfocus.com/archive/1/471178/100/0/threaded](http://www.securityfocus.com/archive/1/471178/100/0/threaded)
* [http://www.securityfocus.com/archive/1/471204/100/0/threaded](http://www.securityfocus.com/archive/1/471204/100/0/threaded)
* [http://www.securityfocus.com/archive/1/471275/100/0/threaded](http://www.securityfocus.com/archive/1/471275/100/0/threaded)
* [https://exchange.xforce.ibmcloud.com/vulnerabilities/34836](https://exchange.xforce.ibmcloud.com/vulnerabilities/34836)
Signalée 13/06/2007
CVE-2007-3205
medium In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.
* [https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4](https://github.com/php/php-src/security/advisories/GHSA-7fj2-8x79-rjf4)
* [https://bugs.php.net/bug.php?id=81744](https://bugs.php.net/bug.php?id=81744)
Signalée 01/03/2023
CVE-2023-0567
medium In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce.
* [https://github.com/php/php-src/security/advisories/GHSA-76gg-c692-v2mw](https://github.com/php/php-src/security/advisories/GHSA-76gg-c692-v2mw)
Signalée 22/07/2023
CVE-2023-3247
medium The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.
* [https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864](https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
Signalée 09/06/2024
CVE-2024-2408
medium In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.
* [https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w](https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html](https://lists.debian.org/debian-lts-announce/2024/06/msg00009.html)
Signalée 09/06/2024
CVE-2024-5458
medium In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed. This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.
* [https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32](https://github.com/php/php-src/security/advisories/GHSA-9pqp-7h25-4f32)
Signalée 08/10/2024
CVE-2024-8925
medium In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations.
Versions affectées : 8.1.0|8.1.31,8.2.0|8.2.27,8.3.0|8.3.18,8.4.0|8.4.4Versions patchées :
* [https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc](https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc)
* [https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc](https://github.com/php/php-src/security/advisories/GHSA-p3x9-6h7p-cgfc)
Signalée 30/03/2025
CVE-2025-1219
medium In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions.
* [https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r](https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r)
* [https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r](https://github.com/php/php-src/security/advisories/GHSA-3cr5-j632-f35r)
Signalée 13/07/2025
CVE-2025-1220
medium In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when receiving headers from HTTP server, the headers missing a colon (:) are treated as valid headers even though they are not. This may confuse applications into accepting invalid headers.
* [https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44](https://github.com/php/php-src/security/advisories/GHSA-pcmh-g36c-qc44)
* [https://security.netapp.com/advisory/ntap-20250523-0009/](https://security.netapp.com/advisory/ntap-20250523-0009/)
Signalée 30/03/2025
CVE-2025-1734
low In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.
* [https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5](https://github.com/php/php-src/security/advisories/GHSA-865w-9rf3-2wh5)
Signalée 08/10/2024
CVE-2024-9026
low In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc.
Versions affectées : 8.1.0|8.1.31,8.2.0|8.2.27,8.3.0|8.3.18,8.4.0|8.4.4Versions patchées :
* [https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g](https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g)
* [https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g](https://github.com/php/php-src/security/advisories/GHSA-v8xr-gpvj-cx9g)
Signalée 29/03/2025
CVE-2025-1217
unassigned In PHP versions 8.0.* before 8.0.27, 8.1.* before 8.1.15, 8.2.* before 8.2.2 when using PDO::quote() function to quote user-supplied data for SQLite, supplying an overly long string may cause the driver to incorrectly quote the data, which may further lead to SQL injection vulnerabilities.
* [https://bugs.php.net/bug.php?id=81740](https://bugs.php.net/bug.php?id=81740)
* [https://bugs.php.net/bug.php?id=81740](https://bugs.php.net/bug.php?id=81740)
* [https://security.netapp.com/advisory/ntap-20230223-0007/](https://security.netapp.com/advisory/ntap-20230223-0007/)
Signalée 12/02/2025
CVE-2022-31631
unassigned In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [http://www.openwall.com/lists/oss-security/2024/06/07/1](http://www.openwall.com/lists/oss-security/2024/06/07/1)
* [https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7](https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7)
* [https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7](https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/)
* [https://security.netapp.com/advisory/ntap-20240510-0009/](https://security.netapp.com/advisory/ntap-20240510-0009/)
* [https://security.netapp.com/advisory/ntap-20240510-0009/](https://security.netapp.com/advisory/ntap-20240510-0009/)
* [https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585](https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585)
Signalée 29/04/2024
CVE-2024-1874
unassigned In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.
* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [http://www.openwall.com/lists/oss-security/2024/04/12/11](http://www.openwall.com/lists/oss-security/2024/04/12/11)
* [https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr](https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr)
* [https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr](https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html)
* [https://security.netapp.com/advisory/ntap-20240510-0010/](https://security.netapp.com/advisory/ntap-20240510-0010/)
* [https://security.netapp.com/advisory/ntap-20240510-0010/](https://security.netapp.com/advisory/ntap-20240510-0010/)
Signalée 29/04/2024
CVE-2024-3096
unassigned A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
* [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
* [https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/](https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/)
* [https://kb.cert.org/vuls/id/123335](https://kb.cert.org/vuls/id/123335)
* [https://kb.cert.org/vuls/id/123335](https://kb.cert.org/vuls/id/123335)
* [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way)
* [https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way](https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way)
* [https://www.cve.org/CVERecord?id=CVE-2024-1874](https://www.cve.org/CVERecord?id=CVE-2024-1874)
* [https://www.cve.org/CVERecord?id=CVE-2024-1874](https://www.cve.org/CVERecord?id=CVE-2024-1874)
* [https://www.cve.org/CVERecord?id=CVE-2024-22423](https://www.cve.org/CVERecord?id=CVE-2024-22423)
* [https://www.cve.org/CVERecord?id=CVE-2024-22423](https://www.cve.org/CVERecord?id=CVE-2024-22423)
* [https://www.cve.org/CVERecord?id=CVE-2024-24576](https://www.cve.org/CVERecord?id=CVE-2024-24576)
* [https://www.cve.org/CVERecord?id=CVE-2024-24576](https://www.cve.org/CVERecord?id=CVE-2024-24576)
* [https://www.kb.cert.org/vuls/id/123335](https://www.kb.cert.org/vuls/id/123335)
* [https://www.kb.cert.org/vuls/id/123335](https://www.kb.cert.org/vuls/id/123335)
Signalée 10/04/2024
CVE-2024-3566
unassigned In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, a hostile MySQL server can cause the client to disclose the content of its heap containing data from other SQL requests and possible other data belonging to different users of the same server.
* [https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678](https://github.com/php/php-src/security/advisories/GHSA-h35g-vwh6-m678)
* [https://security.netapp.com/advisory/ntap-20250110-0008/](https://security.netapp.com/advisory/ntap-20250110-0008/)
Signalée 22/11/2024
CVE-2024-8929
unassigned In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.
* [https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff](https://github.com/php/php-src/security/advisories/GHSA-g665-fm4p-vhff)
* [https://security.netapp.com/advisory/ntap-20250110-0009/](https://security.netapp.com/advisory/ntap-20250110-0009/)
Signalée 22/11/2024
CVE-2024-8932
unassigned In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server.
* [https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x](https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x)
* [https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x](https://github.com/php/php-src/security/advisories/GHSA-453j-q27h-5p8x)
Signalée 13/07/2025
CVE-2025-6491
Apache/http_server
25 apache/http_server —— 2.4.58 +
critical Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
Signalée 01/07/2024
CVE-2024-38474
critical Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
Signalée 01/07/2024
CVE-2024-38476
high HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240415-0013/](https://security.netapp.com/advisory/ntap-20240415-0013/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QKKDVFWBKIHCC3WXNH3W75WWY4NW42OB/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QKKDVFWBKIHCC3WXNH3W75WWY4NW42OB/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIUBKSCJGPJ6M2U63V6BKFDF725ODLG7/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIUBKSCJGPJ6M2U63V6BKFDF725ODLG7/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FO73U3SLBYFGIW2YKXOK7RI4D6DJSZ2B/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FO73U3SLBYFGIW2YKXOK7RI4D6DJSZ2B/)
* [http://www.openwall.com/lists/oss-security/2024/04/04/4](http://www.openwall.com/lists/oss-security/2024/04/04/4)
* [http://www.openwall.com/lists/oss-security/2024/04/03/16](http://www.openwall.com/lists/oss-security/2024/04/03/16)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html)
Signalée 04/04/2024
CVE-2024-27316
high null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
Signalée 01/07/2024
CVE-2024-38477
high SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 18/07/2024
CVE-2024-40898
high An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2025/12/04/4](http://www.openwall.com/lists/oss-security/2025/12/04/4)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 05/12/2025
CVE-2025-55753
high Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2025/12/04/5](http://www.openwall.com/lists/oss-security/2025/12/04/5)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 05/12/2025
CVE-2025-58098
high Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2025/12/04/6](http://www.openwall.com/lists/oss-security/2025/12/04/6)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 05/12/2025
CVE-2025-59775
medium Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2025/12/04/7](http://www.openwall.com/lists/oss-security/2025/12/04/7)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 05/12/2025
CVE-2025-65082
medium mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
* [http://www.openwall.com/lists/oss-security/2025/12/04/8](http://www.openwall.com/lists/oss-security/2025/12/04/8)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 05/12/2025
CVE-2025-66200
unassigned Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.
* [http://seclists.org/fulldisclosure/2024/Jul/18](http://seclists.org/fulldisclosure/2024/Jul/18)
* [http://seclists.org/fulldisclosure/2024/Jul/18](http://seclists.org/fulldisclosure/2024/Jul/18)
* [http://www.openwall.com/lists/oss-security/2024/04/04/3](http://www.openwall.com/lists/oss-security/2024/04/04/3)
* [http://www.openwall.com/lists/oss-security/2024/04/04/3](http://www.openwall.com/lists/oss-security/2024/04/04/3)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/)
* [https://security.netapp.com/advisory/ntap-20240415-0013/](https://security.netapp.com/advisory/ntap-20240415-0013/)
* [https://security.netapp.com/advisory/ntap-20240415-0013/](https://security.netapp.com/advisory/ntap-20240415-0013/)
* [https://support.apple.com/kb/HT214119](https://support.apple.com/kb/HT214119)
* [https://support.apple.com/kb/HT214119](https://support.apple.com/kb/HT214119)
Signalée 04/04/2024
CVE-2023-38709
unassigned HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.
* [http://seclists.org/fulldisclosure/2024/Jul/18](http://seclists.org/fulldisclosure/2024/Jul/18)
* [http://www.openwall.com/lists/oss-security/2024/04/04/5](http://www.openwall.com/lists/oss-security/2024/04/04/5)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html)
* [https://lists.debian.org/debian-lts-announce/2024/05/msg00014.html](https://lists.debian.org/debian-lts-announce/2024/05/msg00014.html)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/)
* [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/)
* [https://security.netapp.com/advisory/ntap-20240415-0013/](https://security.netapp.com/advisory/ntap-20240415-0013/)
* [https://support.apple.com/kb/HT214119](https://support.apple.com/kb/HT214119)
Signalée 04/04/2024
CVE-2024-24795
unassigned Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.
* [http://www.openwall.com/lists/oss-security/2024/07/01/4](http://www.openwall.com/lists/oss-security/2024/07/01/4)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
Signalée 01/07/2024
CVE-2024-36387
unassigned SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [http://www.openwall.com/lists/oss-security/2024/07/01/5](http://www.openwall.com/lists/oss-security/2024/07/01/5)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 01/07/2024
CVE-2024-38472
unassigned Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [http://www.openwall.com/lists/oss-security/2024/07/01/6](http://www.openwall.com/lists/oss-security/2024/07/01/6)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 01/07/2024
CVE-2024-38473
unassigned Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
* [http://www.openwall.com/lists/oss-security/2024/07/01/8](http://www.openwall.com/lists/oss-security/2024/07/01/8)
* [https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf](https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [https://www.blackhat.com/us-24/briefings/schedule/index.html#confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-pre-recorded-40227](https://www.blackhat.com/us-24/briefings/schedule/index.html#confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-pre-recorded-40227)
Signalée 01/07/2024
CVE-2024-38475
unassigned Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
* [http://www.openwall.com/lists/oss-security/2024/07/01/11](http://www.openwall.com/lists/oss-security/2024/07/01/11)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
* [https://security.netapp.com/advisory/ntap-20240712-0001/](https://security.netapp.com/advisory/ntap-20240712-0001/)
Signalée 01/07/2024
CVE-2024-39573
unassigned HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue. Users are recommended to upgrade to version 2.4.64, which fixes this issue.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2024-42516
unassigned SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2024-43204
unassigned Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. The server offers limited protection against administrators directing the server to open UNC paths. Windows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2024-43394
unassigned Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2024-47252
unassigned In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2025-23048
unassigned In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2025-49630
unassigned In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2025-49812
unassigned Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue.
* [https://httpd.apache.org/security/vulnerabilities_24.html](https://httpd.apache.org/security/vulnerabilities_24.html)
Signalée 10/07/2025
CVE-2025-53020
1 paquets abandonnés ont été trouvés
| Paquet abandonné | Remplacement suggéré |
|---|---|
| php-http/message-factory | psr/http-factory |
Share
Badge
[](https://audit.security.code-rhapsodie.fr/fr/project/018f808c-f7c7-7972-baed-d79c7a96868a)
[](https://audit.security.code-rhapsodie.fr/fr/project/018f808c-f7c7-7972-baed-d79c7a96868a)
[](https://audit.security.code-rhapsodie.fr/fr/project/018f808c-f7c7-7972-baed-d79c7a96868a)
[](https://audit.security.code-rhapsodie.fr/fr/project/018f808c-f7c7-7972-baed-d79c7a96868a)