CVE-2024-8926

PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)

CVSS 8.1 HIGHEPSS 3.7%CWE-78

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Produtos afetados

PHP Group · PHP

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq https://security.netapp.com/advisory/ntap-20241101-0003/