Lucene search

K
cvePhpCVE-2024-2756
HistoryApr 29, 2024 - 4:15 a.m.

CVE-2024-2756

2024-04-2904:15:07
CWE-20
php
web.nvd.nist.gov
87
cve-2024-2756
incomplete fix
insecure cookies
php applications
network attackers
same-site attackers

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

6.4

Confidence

Low

EPSS

0.006

Percentile

79.3%

Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim’s browser which is treated as a __Host-Β or __Secure-Β cookie by PHP applications.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "PHP",
    "vendor": "PHP Group",
    "versions": [
      {
        "lessThan": "8.1.28",
        "status": "affected",
        "version": "8.1.*",
        "versionType": "semver"
      },
      {
        "lessThan": "8.2.18",
        "status": "affected",
        "version": "8.2.*",
        "versionType": "semver"
      },
      {
        "lessThan": "8.3.5",
        "status": "affected",
        "version": "8.3.*",
        "versionType": "semver"
      }
    ]
  }
]

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

6.4

Confidence

Low

EPSS

0.006

Percentile

79.3%