CVE-2024-4577 Vulnerability in PHP Could Allow Command Injection and Source Code Revelation
CVE-2024-8926

8.8HIGH

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 8 October 2024

What is CVE-2024-8926?

In certain configurations involving non-standard Windows codepages, vulnerabilities in specific versions of PHP may allow attackers to exploit command injection weaknesses. These weaknesses can lead to unauthorized access to PHP binary options, enabling malicious actors to reveal script source code or execute arbitrary PHP code on affected servers. This threat underscores the importance of strict configuration management and regular updates for PHP installations.

Affected Version(s)

PHP Windows 8.1.*

PHP Windows 8.1.* < 8.1.30

PHP Windows 8.2.* < 8.2.24

References

https://github.com/php/php-src/security/advisories/GHSA-p...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 8, 2024
Vulnerability Reserved
Sep 17, 2024

Credit

https://github.com/MortalAndTry

PHP Group

What is CVE-2024-8926?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit