National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:php:php:5.4.10
There are 228 matching records.
Displaying matches 221 through 228.
Vuln ID Summary CVSS Severity
CVE-2013-2110

Heap-based buffer overflow in the php_quot_print_encode function in ext/standard/quot_print.c in PHP before 5.3.26 and 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted argument to the quoted_printable_encode function.

Published: June 21, 2013; 04:55:01 PM -04:00
    V2: 5.0 MEDIUM
CVE-2013-3735

** DISPUTED ** The Zend Engine in PHP before 5.4.16 RC1, and 5.5.0 before RC2, does not properly determine whether a parser error occurred, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted function definition, as demonstrated by an attack within a shared web-hosting environment. NOTE: the vendor's http://php.net/security-note.php page says "for critical security situations you should be using OS-level security by running multiple web servers each as their own user id."

Published: May 31, 2013; 05:55:01 PM -04:00
    V2: 5.0 MEDIUM
CVE-2013-1643

The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-1824.

Published: March 06, 2013; 08:10:27 AM -05:00
    V2: 5.0 MEDIUM
CVE-2013-1635

ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory.

Published: March 06, 2013; 08:10:27 AM -05:00
    V2: 7.5 HIGH
CVE-2007-4596

The perl extension in PHP does not follow safe_mode restrictions, which allows context-dependent attackers to execute arbitrary code via the Perl eval function. NOTE: this might only be a vulnerability in limited environments.

Published: August 30, 2007; 02:17:00 PM -04:00
    V2: 7.5 HIGH
CVE-2007-3205

The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Suhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Suhosin.

Published: June 13, 2007; 06:30:00 AM -04:00
    V2: 5.0 MEDIUM
CVE-2007-2728

The soap extension in PHP calls php_rand_r with an uninitialized seed variable, which has unknown impact and attack vectors, a related issue to the mcrypt_create_iv issue covered by CVE-2007-2727.

Published: May 16, 2007; 06:30:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2006-7168

PHP remote file inclusion vulnerability in includes/not_mem.php in the Add Name module for PHP allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.

Published: March 20, 2007; 06:19:00 AM -04:00
    V2: 6.8 MEDIUM