CVE-2024-1874

CRITICAL Year: 2024
CVSS v3 Score
9.4
Critical
Weakness Type
CWE-116
View all →

Vulnerability Description

In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.

Related Vulnerabilities

CVE-2021-33672

CRITICAL
CVSS:9.6(Critical)

Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipien...

CWE-1162021

CVE-2023-3668

CRITICAL
CVSS:9.1(Critical)

Improper Encoding or Escaping of Output in GitHub repository froxlor/froxlor prior to 2.0.21.

CWE-1162023

CVE-2024-38475

CRITICAL
CVSS:9.1(Critical)

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not int...

CWE-1162024

CVE-2024-56524

CRITICAL
CVSS:9.1(Critical)

Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass firewall filters by adding a special character to the request.

CWE-1162024

CVE-2017-8303

CRITICAL
CVSS:9.8(Critical)

An issue was discovered on Accellion FTA devices before FTA_9_12_180. seos/1000/find.api allows Remote Code Execution with shell metacharacters in the method parameter.

CWE-1162017

CVE-2018-15494

CRITICAL
CVSS:9.8(Critical)

In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.

CWE-1162018