Description

In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??=  operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.

Remediation

References

CVE-2024-11235

Related Vulnerabilities

Craft CMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-37250)

MySQL CVE-2014-4258 Vulnerability (CVE-2014-4258)

Oracle JRE CVE-2013-5797 Vulnerability (CVE-2013-5797)

Zikula Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2010-1724)

MediaWiki Session Fixation Vulnerability (CVE-2013-4572)

Severity

High

Classification

CVE-2024-11235 CWE-416 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities