Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

PHP Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2024-11234)

Description

In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.

Remediation

References

Related Vulnerabilities

Internet Information Services Other Vulnerability (CVE-2001-0709)

WordPress Plugin Permalink Manager Lite Unspecified Vulnerability (2.2.13.1)

WordPress Plugin typofr Cross-Site Scripting (0.11)

MySQL CVE-2020-14790 Vulnerability (CVE-2020-14790)

WordPress Plugin Search and Share Cross-Site Scripting (0.9.3)

Severity

High

Classification

CVE-2024-11234 CWE-138 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities