According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.14. It is, therefore, affected by multiple vulnerabilities:

  - An integer underflow condition exists in _gdContributionsAlloc   function in gd_interpolation.c. An unauthenticated, remote attacker   can have unspecified impact via vectors related to decrementing   the u variable. (CVE-2016-10166)

  - A denial of service (DoS) vulnerability exists in   ext/imap/php_imap.c. An unauthenticated, remote attacker can   exploit this issue, via an empty string in the message argument   to the imap_mail function, to cause the application to stop   responding. (CVE-2018-19935)

  - A heap-based buffer overflow exists in gdImageColorMatch in   gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5.
  An unauthenticated, remote attacker can exploit this via the   triggering of imagecolormatch calls with crafted image data, to   cause a denial of service condition or the execution of arbitrary   code. (CVE-2019-6977)

  - A heap-based buffer over-read exists in the xmlrpc_decode function   due to improper validation of input data. An unauthenticated, remote   attacker can exploit this, via a specially crafted request, to cause   a heap out-of-bounds read or read-after-free condition, which could   result in a complete system compromise. (CVE-2019-9020)

  - A heap-based buffer over-read exists in the PHAR reading functions   in the PHAR extension, due to improper implementation of memory   operations. An unauthenticated, remote attacker can exploit this,   via persuading a user to parse a specially crafted file name on the   targeted system, to disclose sensitive information. (CVE-2019-9021)

  - An information disclosure vulnerability exists in the   dns_get_record function due to improper parsing of DNS responses. An   unauthenticated, remote attacker can exploit this, via a specially   crafted DNS reply sent from a rogue DNS server to disclose   potentially sensitive information. (CVE-2019-9022)

  - Multiple heap-based buffer over-read instances exist in mbstring   regular expression functions due to improper implementation of   memory operations. An unauthenticated, remote attacker can exploit   this by sending a specially crafted regular expression that contains   multibyte sequences, to cause a condition that could allow the   attacker to completely compromise the target system. (CVE-2019-9023)

  - An out-of-bounds read error exists in the xmlrpc_decode function   due to improper implementation of memory operations. An   unauthenticated, remote attacker can exploit this, via a hostile   XMLRPC server to cause PHP to read from memory outside of allocated   areas. (CVE-2019-9024)

Detections

Analytics

PHP 7.2.x < 7.2.14 Multiple vulnerabilities.

critical Nessus Plugin ID 121353

Version 1.10

Version 1.9

Version 1.8

Version 1.10 Nov 22, 2024, 4:32 PM Plugin metadata (remove script_exclude_keys for CGI scanning) Plugin Feed: 202411221632
Version 1.9 Jun 26, 2024, 9:01 AM CVSSv2 score source (changed from "CVE-2016-10166" to "CVE-2019-9023") Plugin Feed: 202406260901
Version 1.8 May 28, 2024, 5:14 PM Required Scan configuration ("Enable cgi scanning" set to "True") Plugin Feed: 202405281714