BIT-LIBPHP-2024-5585 Command injection via array-ish $command parameter of proc_open() (bypass CVE-2024-1874 fix)
In PHP versions 8.1. before 8.1.29, 8.2. before 8.2.20, 8.3. before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using procopen command with array syntax, due to insufficient escaping, if the arguments of the executed command ar...