CVE Daily

CVE-2024-8926

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, w...

High CVSS 8.1

Overview

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for  CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3  may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

CWE: CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Published: 2024-10-08T04:15:10.637
Risk analysis

This vulnerability is rated 🟠 HIGH.

  • CVSS: 8.1 (HIGH)
  • Detected tags: command_injection (tag impact: LOW)

Recommended actions:

  • Prioritize remediation based on business criticality and exposure.
  • Limit exposure and increase monitoring until fixed.

Recommended tools

This page may include affiliate links. If you purchase through them, we may earn a commission at no extra cost to you. Learn more.

Tags