Network and Same-Site Attackers Can Set Insecure Cookies in Victim's Browser
CVE-2024-2756

6.5MEDIUM

Key Information:

Vendor

PHP Group

Status
PHP
Vendor
CVE Published:
29 April 2024

Badges

🟣 EPSS 10%📰 News Worthy

What is CVE-2024-2756?

Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.

Affected Version(s)

PHP 8.1.*

PHP 8.1.* < 8.1.28

PHP 8.2.* < 8.2.18

News Articles

favicon imageCybersecurityNews

Critical PHP Vulnerabilities Let Attackers Inject Commands : Patch Now

Multiple vulnerabilities have been identified in PHP that are associated with Command Injection, Cookie Bypass, Account takeover and Denial

favicon imagedailydarkweb.net

Critical PHP Vulnerabilities Exposed: Urgent Updates Needed to Safeguard Against Takeovers and Command Injection (CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, CVE-2024-2757) - Daily Dark Web

Critical PHP Vulnerabilities Exposed: Urgent Updates Needed to Safeguard Against Takeovers and Command Injection (CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, CVE-2024-2757) Discover the latest security threats and database leaks, including unauthorized VPN access and email breaches, in the cyber un...

References

https://github.com/php/php-src/security/advisories/GHSA-w...
http://www.openwall.com/lists/oss-security/2024/04/12/11
https://lists.debian.org/debian-lts-announce/2024/05/msg0...

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • 📰

    First article discovered by dailydarkweb.net

Credit

Marco Squarcina
.