by vicarius
log in join community
by @jakaba
08 Jul 2024
#cve_analysis

Write a blog analysis for a CVE

publish

Command injection vulnerability in PHP on Windows systems (CVE-2024-1874 and CVE-2024-5585)

by @jakaba
by @jakaba
08 Jul 2024
#cve_analysis

Write a blog analysis for a CVE

publish

Command injection vulnerability in PHP on Windows systems (CVE-2024-1874 and CVE-2024-5585)

CVEs

CVE-2024-1874
9.4 Critical Severity
CVE-2024-5585
8.8 High Severity

OS

Fedora
FedoraFedoraproject
*.*
3334.*
37.*
30.*
40.*
38.*
28.*
31.*
34.*
36.*

Apps

PHP
PHPPHP
8.1.27.*
8.1.27.-
8.1.27.RC1
7.4.33-10.*
8.1.1910.*
8.1.29.-
8.1.29.RC1
8.1.26.RC1
8.1.26.-
7.4.3340.*

Screenshots from the blog posts

images/clyd04roo2lya1gmw120fc9ri.jpgimages/clyd04roo2lya1gmw120fc9ri.jpg

Summary

In PHP, CVE-2024-1874 involves insufficient escaping in the `proc_open()` command with array syntax, allowing malicious users to execute arbitrary commands via Windows shell. Proper input validation and escaping are crucial to prevent such vulnerabilities and ensure secure command execution.

Description

Tags

#trending#command_injection#php#cve-analysis#command-injection
users/photos/clj8b3h1k16g10uoihwvzgsxi.png

@jakaba

74 posts

Total vcoins

64.3K

Social media links

Comments (0)