Security Advisory Pulse/CVE-2024-4577
CVE-2024-4577Exploit Available

PHP CGI Argument Injection on Windows

🏭 PHP GroupCWE-88#PHP#Windows#RCE#CGI#Web Server
9.8Critical
010.0

Vulnerability Description

A critical argument injection vulnerability in PHP-CGI on Windows systems allows unauthenicated remote code execution. The vulnerability stems from PHP's improper handling of Windows code page character encoding conversions in URLs.

Recommended Mitigation

Upgrade PHP to 8.3.8, 8.2.20, or 8.1.29 on Windows. Switch from CGI to PHP-FPM. Add URL rewrite rules to block CGI exploitation vectors.

Affected Products

PHP for Windows (CGI mode)
XAMPP for Windows
Laragon

Version constraint: PHP < 8.3.8, < 8.2.20, < 8.1.29 on Windows

Official References

https://www.php.net/ChangeLog-8.phphttps://nvd.nist.gov/vuln/detail/CVE-2024-4577

Quick Facts

Published
2024-06-06
Last Modified
2024-06-10
Vendor
PHP Group
CWE
CWE-88
Exploit
⚠️ Public Exploit Exists

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

View on NVD← Back to Advisory Feed