CVSS: 6.1EPSS: 0%CPEs: 46EXPL: 0CVE-2015-8935 – php: HTTP response splitting in header() function
https://notcve.org/view.php?id=CVE-2015-8935
The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function. La función sapi_header_op en main/SAPI en PHP en versiones anteriores a 5.4.38, 5.5.x en versiones anteriores a 5.5.22 y 5.6 en versiones anteriores a 5.6.6 apoya el plegado de linea en de uso sin considerar la compatibilidad del navegador, lo que permite a atacantes remotos llevar a cabo ataques XSS contra Internet Explorer mediante el aprovechamiento de (1) %0A%20 o (2) %0D%0A%20 no manejado adecuadamente en la función de cabecera. The header() PHP function allowed header stings containing line break followed by a space or tab, as allowed by RFC 2616. Certain browsers handled the continuation line as new header, making it possible to conduct a HTTP response splitting attack against such browsers. The header() function was updated to follow RFC 7230 and not allow any line breaks. • http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00025.html http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html http://rhn.redhat.com/errata/RHSA-2016-2750.html http://www.openwall.com/lists/oss-security/2016/06/20/3 https://bugs.php.net/bug.php?id=68978 https://github.com/php/php-src/commit/996faf964bba1aec06b153b370a7f20d3dd2bb8b?w=1 https://access.redhat.com/security/cve/CVE-201 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 0CVE-2016-6288 – php: Buffer over-read in php_url_parse_ex
https://notcve.org/view.php?id=CVE-2016-6288
The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type. La función php_url_parse_ex en ext/standard/url.c en PHP en versiones anteriores a 5.5.38 permite a atacantes remotos provocar una denegación de servicio (sobrelectura de buffer) o posiblemente tener otro impacto no especificado a través de vectores que involucran el tipo de datos smart_str. • http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=629e4da7cc8b174acdeab84969cbfc606a019b31 http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html http://openwall.com/lists/oss-security/2016/07/24/2 http://php.net/ChangeLog-5.php http://rhn.redhat.com/errata/RHSA-2016-2750.html http://www.securityfocus.com/bid/92111 http://www.securitytracker.com/id/1036430 https://bugs.php.net/70480 https://support.apple.com/HT207170 https://access.redhat.com/security/ • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 40EXPL: 1CVE-2016-6289 – php: Integer overflow leads to buffer overflow in virtual_file_ex
https://notcve.org/view.php?id=CVE-2016-6289
Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive. Desbordamiento de entero en la función virtual_file_ex en TSRM/tsrm_virtual_cwd.c en PHP en versiones anteriores a 5.5.38, 5.6.x en versiones anteriores a 5.6.24 y 7.x en versiones anteriores a 7.0.9 permite a atacantes remotos provocar una denegación de servicio (desbordamiento de buffer basado en pila) o posiblemente tener otro impacto no especificado a través de una operación de extracto manipulada en un archivo ZIP. • http://fortiguard.com/advisory/fortinet-discovers-php-stack-based-buffer-overflow-vulnerabilities http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=0218acb7e756a469099c4ccfb22bce6c2bd1ef87 http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html http://openwall.com/lists/oss-security/2016/07/24/2 http://php.net/ChangeLog-5.php http://php.net/ChangeLog-7.php http://rhn.redhat.com/errata/RHSA-2016-2750.html http://www.debian.org/security/2016/dsa-3631 http://www.s • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 2%CPEs: 40EXPL: 0CVE-2016-6290 – php: Use after free in unserialize() with Unexpected Session Deserialization
https://notcve.org/view.php?id=CVE-2016-6290
ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors related to session deserialization. ext/session/session.c en PHP en versiones anteriores a 5.5.38, 5.6.x en versiones anteriores a 5.6.24 y 7.x en versiones anteriores a 7.0.9 no mantiene correctamente una determinada estructura de datos hash, lo que permite a atacantes remotos provocar una denegación de servicio (uso después de liberación) o posiblemente tener otro impacto no especificado a través de vectores relacionados con deserialización de sesión. • http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=3798eb6fd5dddb211b01d41495072fd9858d4e32 http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html http://openwall.com/lists/oss-security/2016/07/24/2 http://php.net/ChangeLog-5.php http://php.net/ChangeLog-7.php http://rhn.redhat.com/errata/RHSA-2016-2750.html http://www.debian.org/security/2016/dsa-3631 http://www.securityfocus.com/bid/92097 http://www.securitytracker.com/id/1036430 https://bugs.php& • CWE-416: Use After Free •
CVSS: 9.8EPSS: 2%CPEs: 40EXPL: 1CVE-2016-6291 – php: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE
https://notcve.org/view.php?id=CVE-2016-6291
The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image. La función exif_process_IFD_in_MAKERNOTE en ext/exif/exif.c en PHP en versiones anteriores a 5.5.38, 5.6.x en versiones anteriores a 5.6.24 y 7.x en versiones anteriores a 7.0.9 permite a atacantes remotos provocar una denegación de servicio (acceso al array fuera de rango y corrupción de memoria), obtener información sensible de la memoria de proceso o posiblemente tener otro impacto no especificado a través de una imagen JPEG manipulada. • http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=eebcbd5de38a0f1c2876035402cb770e37476519 http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html http://openwall.com/lists/oss-security/2016/07/24/2 http://php.net/ChangeLog-5.php http://php.net/ChangeLog-7.php http://rhn.redhat.com/errata/RHSA-2016-2750.html http://www.debian.org/security/2016/dsa-3631 http://www.securityfocus.com/bid/92073 http://www.securitytracker.com/id/1036430 https://bugs.php& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •