| VID |
22951 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
According to its self-reported version number, the version of PHP running on the remote web server is 7.2.x prior to 7.2.34, 7.3.x prior to 7.3.23 or 7.4.x prior to 7.4.11. It is, therefore, affected by multiple vulnerabilties:
- A weak cryptography vulnerability exists in PHP's openssl_encrypt function due to a failure to utilize all provided IV bytes. An unauthenticated, remote attacker could exploit this to reduce the level of security provided by the encryption scheme or affect the integrity of the encrypted data (CVE-2020-7069).
- A cookie forgery vulnerability exists in PHP's HTTP processing functionality. An unauthenticated, remote could expoit this to forge HTTP cookies which were supposed to be secure. (CVE-2020-7070)
* References:
http://bugs.php.net/79601
http://bugs.php.net/79699
https://www.php.net/ChangeLog-7.php#7.2.34
https://www.php.net/ChangeLog-7.php#7.3.23
https://www.php.net/ChangeLog-7.php#7.4.11
* Platforms Affected:
PHP Prior to 7.2.34
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of PHP (7.2.34 or later), available from the PHP web site at http://www.php.net/downloads.php |
| Related URL |
CVE-2020-7069,CVE-2020-7070 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
