CVE-2020-7061
published 2020-02-27CVE-2020-7061: In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could…
PriorityP348critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
3.98%
89.2th percentile
In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php7.4 | — | — |
| php | php | 7.2.0 – 7.2.27 | — |
| php | php | 7.3.0 – 7.3.14 | — |
| php | php | 7.4.0 – 7.4.2 | — |
| php_group | php | >= 7.3.x < 7.3.15 | 7.3.15 |
| php_group | php | >= 7.4.x < 7.4.3 | 7.4.3 |
| tenable | tenable.sc | < 5.19.0 | 5.19.0 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
vendor_debian6.5LOW
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Festo Didactic SE MES PC
cisa_ics·2026-01-27·CVSS 7.5
[HIGH] Festo Didactic SE MES PC
ICS Advisory
##
Festo Didactic SE MES PC
Release DateJanuary 27, 2026
Alert CodeICSA-26-027-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications. MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic's Factory Control Panel application.
The
Red Hat
php: heap-based buffer overflow in phar_extract_file
vendor_redhat·2020-01-26·CVSS 6.5
CVE-2020-7061 [MEDIUM] CWE-122 php: heap-based buffer overflow in phar_extract_file
php: heap-based buffer overflow in phar_extract_file
In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.
Statement: This flaw affects only PHP running on Windows operating system.
Package: php (Red Hat Enterprise Linux 5) - Not affected
Package: php53 (Red Hat Enterprise Linux 5) - Not affected
Package: php (Red Hat Enterprise Linux 6) - Not affected
Package: php (Red Hat Enterprise Linux 7) - Not affected
Package: php:7.2/php (Red Hat Enterprise Linux 8) - Not affected
Package: php:7.3/php (Red Hat Enterprise Linux 8) - Not affected
Package: rh-php72-php (Red Hat S
Debian
CVE-2020-7061: php7.4 - In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR ...
vendor_debian·2020·CVSS 6.5
CVE-2020-7061 [MEDIUM] CVE-2020-7061: php7.4 - In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR ...
In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.
Scope: local
bullseye: resolved
GHSA
GHSA-q6h5-x7cx-j9jg: In PHP versions 7
ghsa_unreviewed·2022-05-24
CVE-2020-7061 [MEDIUM] CWE-125 GHSA-q6h5-x7cx-j9jg: In PHP versions 7
In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.
No detection rules found.
No public exploits indexed.
2020-02-27
Published