PHP : Security Vulnerabilities, CVEs, Published In August 2010
The default session serializer in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker, which allows context-dependent attackers to modify arbitrary session variables via a crafted session variable name.
Max CVSS
5.0
EPSS Score
0.47%
Published
2010-08-20
Updated
2010-12-10
Stack-based buffer overflow in the php_mysqlnd_auth_write function in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) username or (2) database name argument to the (a) mysql_connect or (b) mysqli_connect function.
Max CVSS
6.8
EPSS Score
1.03%
Published
2010-08-20
Updated
2010-12-07
The php_mysqlnd_read_error_from_line function in the Mysqlnd extension in PHP 5.3 through 5.3.2 does not properly calculate a buffer length, which allows context-dependent attackers to trigger a heap-based buffer overflow via crafted inputs that cause a negative length value to be used.
Max CVSS
5.0
EPSS Score
0.26%
Published
2010-08-20
Updated
2010-12-07
mysqlnd_wireprotocol.c in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows remote attackers to (1) read sensitive memory via a modified length value, which is not properly handled by the php_mysqlnd_ok_read function; or (2) trigger a heap-based buffer overflow via a modified length value, which is not properly handled by the php_mysqlnd_rset_header_read function.
Max CVSS
5.0
EPSS Score
0.99%
Published
2010-08-20
Updated
2010-12-07
The var_export function in PHP 5.2 before 5.2.14 and 5.3 before 5.3.3 flushes the output buffer to the user when certain fatal errors occur, even if display_errors is off, which allows remote attackers to obtain sensitive information by causing the application to exceed limits for memory, execution time, or recursion.
Max CVSS
4.3
EPSS Score
1.84%
Published
2010-08-20
Updated
2023-01-19
The strrchr function in PHP 5.2 before 5.2.14 allows context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a userspace interruption of an internal function or handler.
Max CVSS
5.0
EPSS Score
0.59%
Published
2010-08-20
Updated
2016-08-23
6 vulnerabilities found