Description

In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

Remediation

References

CVE-2024-11235

Related Vulnerabilities

Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-1590)

WordPress Plugin Sharebar Cross-Site Scripting and SQL Injection Vulnerabilities (1.2.1)

Drupal Improper Removal of Sensitive Information Before Storage or Transfer Vulnerability (CVE-2022-31043)

Oracle Application Server Other Vulnerability (CVE-2007-3861)

WordPress Plugin Quick Buy For Woocommerce Arbitrary File Disclosure (2.0)

Severity

High

Classification

CVE-2024-11235 CWE-416 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities