Trailing spaces in command names can lead to arbitrary command execution in PHP
CVE-2024-5585
7.7HIGH
What is CVE-2024-5585?
In specific versions of PHP, a vulnerability exists whereby insufficiently escaped command arguments in the proc_open() function can allow a malicious user to execute arbitrary commands within the Windows shell. This issue arises particularly when command names contain trailing spaces, leading to a failure in the intended fix for a related vulnerability. Attackers can exploit this weakness to manipulate the execution of commands, potentially compromising the server's security and integrity.
Affected Version(s)
PHP Windows 8.1.*
PHP Windows 8.1.* < 8.1.29
PHP Windows 8.2.* < 8.2.20