CVE-2024-4577 Vulnerability in PHP Could Allow Command Injection and Source Code Revelation
CVE-2024-8926

8.8HIGH

Key Information:

Vendor: PHP Group
Status: PHP
Vendor: CVE Published:; 8 October 2024

Summary

In certain configurations involving non-standard Windows codepages, vulnerabilities in specific versions of PHP may allow attackers to exploit command injection weaknesses. These weaknesses can lead to unauthorized access to PHP binary options, enabling malicious actors to reveal script source code or execute arbitrary PHP code on affected servers. This threat underscores the importance of strict configuration management and regular updates for PHP installations.

Affected Version(s)

PHP Windows 8.1.*

PHP Windows 8.1.* < 8.1.30

PHP Windows 8.2.* < 8.2.24

References

https://github.com/php/php-src/security/advisories/GHSA-p...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 8, 2024
Vulnerability Reserved
Sep 17, 2024

Credit

https://github.com/MortalAndTry