EXECUTIVE SUMMARY:
Multiple critical vulnerabilities have been identified in PHP versions with associated CVE IDs CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757. These vulnerabilities include command injection, cookie bypass, account takeover, and denial of service. CVE-2024-1874 involves command injection due to the improper handling of the $command parameter in proc_open, potentially leading to the execution of arbitrary commands. CVE-2024-2756 relates to a cookie bypass vulnerability resulting from an insufficient fix for a previous CVE- 2022-31629, allowing threat actors to overwrite cookies and potentially perform malicious actions. CVE-2024-3096 allows for account takeover by exploiting null byte acceptance in the password_hash parameter, enabling unauthorized access to victim accounts. Lastly, CVE-2024-2757 involves a denial-of-service vulnerability triggered by mb_encode_mimeheader, potentially leading to endless loops and service disruption when certain inputs are provided. These vulnerabilities have been addressed in PHP which includes fixes alongside additional features and bug corrections.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/patch-php-vulnerabilities-now/