Arbitrary Command Execution Vulnerability in PHP Proc Open Function
CVE-2024-1874
Key Information:
Badges
Summary
In PHP versions prior to 8.1.28, 8.2.18, and 8.3.5, a command injection vulnerability exists when using the proc_open() function with array syntax. This vulnerability arises from insufficient escaping, allowing an attacker to manipulate the arguments of the executed command. If the inputs are controlled by a malicious user, they can craft specific arguments that lead to the execution of arbitrary commands within the Windows shell environment. This poses a significant security risk to applications utilizing vulnerable versions of PHP.
Affected Version(s)
PHP Windows 8.1.*
PHP Windows 8.1.* < 8.1.28
PHP Windows 8.2.* < 8.2.18
News Articles
CybersecurityNewsCritical PHP Vulnerabilities Let Attackers Inject Commands : Patch Now
Multiple vulnerabilities have been identified in PHP that are associated with Command Injection, Cookie Bypass, Account takeover and Denial
Linux SecurityMageia 2024-0132: php Security Advisory Updates | LinuxSecurity.com
Mageia 2024-0132: php Security Advisory Updates - MGASA-2024-0132Updated php packages fix security vulnerabilities Publication date: 13 Apr 2024 URL:
dailydarkweb.netCritical PHP Vulnerabilities Exposed: Urgent Updates Needed to Safeguard Against Takeovers and Command Injection (CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, CVE-2024-2757) - Daily Dark Web
Critical PHP Vulnerabilities Exposed: Urgent Updates Needed to Safeguard Against Takeovers and Command Injection (CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, CVE-2024-2757) Discover the latest security threats and database leaks, including unauthorized VPN access and email breaches, in the cyber un...
References
EPSS Score
42% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
Vulnerability published
- 👾
Exploit known to exist
- 📰
First article discovered by dailydarkweb.net