CVE-2024-8926

CWE-78 — OS Command Injection7 documents6 sources

Severity

8.8HIGH

EPSS

2.7%

top 14.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP PHP

Timeline

PublishedOct 8

Description

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server,…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶NVDphp/php8.1.0 — 8.1.30+2

▶CVEListV5php_group/php8.1.* — 8.1.30+2

▶Debianphp8.2< 8.2.24-1~deb12u1

🔴Vulnerability Details

OSV

CVE-2024-8926: In PHP versions 8↗2024-10-08

▶

CVEList

PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)↗2024-10-08

▶

OSV

CVE-2024-8926: [Bypass of CVE-2024-4577, Parameter Injection Vulnerability]↗2024-09-27

▶

📋Vendor Advisories

Microsoft

PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)↗2024-10-08

▶

Red Hat

php: PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)↗2024-10-07

▶

Debian

CVE-2024-8926: php7.4 - In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, w...↗2024

▶