Network and Same-Site Attackers Can Set Insecure Cookies in Victim's Browser
CVE-2024-2756
Key Information:
Badges
What is CVE-2024-2756?
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.
Affected Version(s)
PHP 8.1.*
PHP 8.1.* < 8.1.28
PHP 8.2.* < 8.2.18
News Articles
Critical PHP Vulnerabilities Let Attackers Inject Commands : Patch Now
Multiple vulnerabilities have been identified in PHP that are associated with Command Injection, Cookie Bypass, Account takeover and Denial
Critical PHP Vulnerabilities Exposed: Urgent Updates Needed to Safeguard Against Takeovers and Command Injection (CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, CVE-2024-2757) - Daily Dark Web
Critical PHP Vulnerabilities Exposed: Urgent Updates Needed to Safeguard Against Takeovers and Command Injection (CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, CVE-2024-2757) Discover the latest security threats and database leaks, including unauthorized VPN access and email breaches, in the cyber un...
References
EPSS Score
10% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability published
- 📰
First article discovered by dailydarkweb.net