Total
713 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2005-3391 | 1 Php | 1 Php | 2025-04-03 | 7.5 HIGH | N/A |
| Multiple vulnerabilities in PHP before 4.4.1 allow remote attackers to bypass safe_mode and open_basedir restrictions via unknown attack vectors in (1) ext/curl and (2) ext/gd. | |||||
| CVE-2005-0596 | 1 Php | 1 Php | 2025-04-03 | 2.1 LOW | N/A |
| PHP 4 (PHP4) allows attackers to cause a denial of service (daemon crash) by using the readfile function on a file whose size is a multiple of the page size. | |||||
| CVE-2003-0249 | 1 Php | 1 Php | 2025-04-03 | 7.5 HIGH | N/A |
| PHP treats unknown methods such as "PoSt" as a GET request, which could allow attackers to intended access restrictions if PHP is running on a server that passes on all methods, such as Apache httpd 2.0, as demonstrated using a Limit directive. NOTE: this issue has been disputed by the Apache security team, saying "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report. | |||||
| CVE-2006-4485 | 1 Php | 1 Php | 2025-04-03 | 10.0 HIGH | N/A |
| The stripos function in PHP before 5.1.5 has unknown impact and attack vectors related to an out-of-bounds read. | |||||
| CVE-2006-4433 | 1 Php | 1 Php | 2025-04-03 | 7.5 HIGH | N/A |
| PHP before 4.4.3 and 5.x before 5.1.4 does not limit the character set of the session identifier (PHPSESSID) for third party session handlers, which might make it easier for remote attackers to exploit other vulnerabilities by inserting PHP code into the PHPSESSID, which is stored in the session file. NOTE: it could be argued that this not a vulnerability in PHP itself, rather a design limitation that enables certain attacks against session handlers that do not account for this limitation. | |||||
| CVE-2005-3319 | 1 Php | 1 Php | 2025-04-03 | 2.1 LOW | N/A |
| The apache2handler SAPI (sapi_apache2.c) in the Apache module (mod_php) for PHP 5.x before 5.1.0 final and 4.4 before 4.4.1 final allows attackers to cause a denial of service (segmentation fault) via the session.save_path option in a .htaccess file or VirtualHost. | |||||
| CVE-2006-4481 | 1 Php | 1 Php | 2025-04-03 | 7.2 HIGH | N/A |
| The (1) file_exists and (2) imap_reopen functions in PHP before 5.1.5 do not check for the safe_mode and open_basedir settings, which allows local users to bypass the settings. NOTE: the error_log function is covered by CVE-2006-3011, and the imap_open function is covered by CVE-2006-1017. | |||||
| CVE-2005-0524 | 1 Php | 1 Php | 2025-04-03 | 5.0 MEDIUM | N/A |
| The php_handle_iff function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a -8 size value. | |||||
| CVE-2003-0860 | 1 Php | 1 Php | 2025-04-03 | 10.0 HIGH | N/A |
| Buffer overflows in PHP before 4.3.3 have unknown impact and unknown attack vectors. | |||||
| CVE-2001-1385 | 2 Mandrakesoft, Php | 2 Mandrake Linux, Php | 2025-04-03 | 5.0 MEDIUM | N/A |
| The Apache module for PHP 4.0.0 through PHP 4.0.4, when disabled with the 'engine = off' option for a virtual host, may disable PHP for other virtual hosts, which could cause Apache to serve the source code of PHP scripts. | |||||
| CVE-2006-2660 | 1 Php | 1 Php | 2025-04-03 | 2.1 LOW | N/A |
| Buffer consumption vulnerability in the tempnam function in PHP 5.1.4 and 4.x before 4.4.3 allows local users to bypass restrictions and create PHP files with fixed names in other directories via a pathname argument longer than MAXPATHLEN, which prevents a unique string from being appended to the filename. | |||||
| CVE-2003-0166 | 1 Php | 1 Php | 2025-04-03 | 7.5 HIGH | N/A |
| Integer signedness error in emalloc() function for PHP before 4.3.2 allow remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via negative arguments to functions such as (1) socket_recv, (2) socket_recvfrom, and possibly other functions. | |||||
| CVE-2005-1042 | 1 Php | 1 Php | 2025-04-03 | 7.5 HIGH | N/A |
| Integer overflow in the exif_process_IFD_TAG function in exif.c in PHP before 4.3.11 may allow remote attackers to execute arbitrary code via an IFD tag that leads to a negative byte count. | |||||
| CVE-2002-0986 | 1 Php | 1 Php | 2025-04-03 | 5.0 MEDIUM | N/A |
| The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a "spam proxy." | |||||
| CVE-2006-0208 | 1 Php | 1 Php | 2025-04-03 | 2.6 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in PHP 4.4.1 and 5.1.1, when display_errors and html_errors are on, allow remote attackers to inject arbitrary web script or HTML via inputs to PHP applications that are not filtered when they are included in the resulting error message. | |||||
| CVE-2006-1014 | 1 Php | 1 Php | 2025-04-03 | 3.2 LOW | N/A |
| Argument injection vulnerability in certain PHP 4.x and 5.x applications, when used with sendmail and when accepting remote input for the additional_parameters argument to the mb_send_mail function, allows context-dependent attackers to read and create arbitrary files by providing extra -C and -X arguments to sendmail. NOTE: it could be argued that this is a class of technology-specific vulnerability, instead of a particular instance; if so, then this should not be included in CVE. | |||||
| CVE-2002-1783 | 1 Php | 1 Php | 2025-04-03 | 5.0 MEDIUM | N/A |
| CRLF injection vulnerability in PHP 4.2.1 through 4.2.3, when allow_url_fopen is enabled, allows remote attackers to modify HTTP headers for outgoing requests by causing CRLF sequences to be injected into arguments that are passed to the (1) fopen or (2) file functions. | |||||
| CVE-2000-0059 | 1 Php | 1 Php | 2025-04-03 | 10.0 HIGH | N/A |
| PHP3 with safe_mode enabled does not properly filter shell metacharacters from commands that are executed by popen, which could allow remote attackers to execute commands. | |||||
| CVE-2002-0121 | 1 Php | 1 Php | 2025-04-03 | 2.1 LOW | N/A |
| PHP 4.0 through 4.1.1 stores session IDs in temporary files whose name contains the session ID, which allows local users to hijack web connections. | |||||
| CVE-2005-3353 | 1 Php | 1 Php | 2025-04-03 | 5.0 MEDIUM | N/A |
| The exif_read_data function in the Exif module in PHP before 4.4.1 allows remote attackers to cause a denial of service (infinite loop) via a malformed JPEG image. | |||||