CVE-2019-11049
published 2019-12-23CVE-2019-11049: In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit…
PriorityP351critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.22%
89.7th percentile
In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| php | php | — | — |
| php | php | 7.3.0 – 7.3.13 | — |
| php_group | php | >= 7.3.x < 7.3.13 | 7.3.13 |
| php_group | php | >= 7.4.x < 7.4.1 | 7.4.1 |
| tenable | securitycenter | < 5.19.0 | 5.19.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h3jj-5ghg-r32j: In PHP versions 7
ghsa_unreviewed·2022-05-24
CVE-2019-11049 [HIGH] CWE-415 GHSA-h3jj-5ghg-r32j: In PHP versions 7
In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.
CISA ICS
Festo Didactic SE MES PC
cisa_ics·2026-01-27·CVSS 7.5
[HIGH] Festo Didactic SE MES PC
ICS Advisory
##
Festo Didactic SE MES PC
Release DateJanuary 27, 2026
Alert CodeICSA-26-027-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications. MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic's Factory Control Panel application.
The
Red Hat
php: double free when supplying custom headers to mail function
vendor_redhat·2019-12-10·CVSS 6.5
CVE-2019-11049 [MEDIUM] CWE-416 php: double free when supplying custom headers to mail function
php: double free when supplying custom headers to mail function
In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.
Statement: This issue doesn't affect any PHP version as shipped with Red Hat Enterprise Linux or Red Hat Software Collection versions, as the flawed component is exclusive to Windows.
Package: php (Red Hat Enterprise Linux 5) - Not affected
Package: php53 (Red Hat Enterprise Linux 5) - Not affected
Package: php (Red Hat Enterprise Linux 6) - Not affected
Package: php (Red Hat Enterprise Linux 7) - Not affected
Package: php:7.2/php (Red Hat
No detection rules found.
No public exploits indexed.
https://bugs.php.net/bug.php?id=78943https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/https://seclists.org/bugtraq/2020/Feb/27https://security.netapp.com/advisory/ntap-20200103-0002/https://www.debian.org/security/2020/dsa-4626https://www.tenable.com/security/tns-2021-14https://bugs.php.net/bug.php?id=78943https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/https://seclists.org/bugtraq/2020/Feb/27https://security.netapp.com/advisory/ntap-20200103-0002/https://www.debian.org/security/2020/dsa-4626https://www.tenable.com/security/tns-2021-14
2019-12-23
Published