According to its banner, the version of PHP running on the remote web server is 7.3.x prior to 7.3.1. It is, therefore, affected by multiple vulnerabilities:

  - An integer underflow condition exists in _gdContributionsAlloc   function in gd_interpolation.c. An unauthenticated, remote attacker   can have unspecified impact via vectors related to decrementing   the u variable.
  (CVE-2016-10166)

  - A heap-based buffer overflow condition exists in   gdImageColorMatch due to improper calculation of the allocated   buffer size. An attacker can exploit this, via calling   imagecolormatch function with crafted image data as parameters.
  (CVE-2019-6977)

  - A heap-based buffer over-read exists in the xmlrpc_decode function   due to improper validation of input data. An unauthenticated, remote   attacker can exploit this, via a specially crafted request, to cause   a heap out-of-bounds read or read-after-free condition, which could   result in a complete system compromise.
  (CVE-2019-9020)

  - A heap-based buffer over-read exists in the PHAR reading functions   in the PHAR extension, due to improper implementation of memory   operations. An unauthenticated, remote attacker can exploit this,   via persuading a user to parse a specially crafted file name on the   targeted system, to disclose sensitive information.
  (CVE-2019-9021)

  - Multiple heap-based buffer over-read instances exist in mbstring   regular expression functions due to improper implementation of   memory operations. An unauthenticated, remote attacker can exploit   this by sending a specially crafted regular expression that contains   multibyte sequences, to cause a condition that could allow the   attacker to completely compromise the target system.
  (CVE-2019-9023)

  - An out-of-bounds read error exists in the xmlrpc_decode function   due to improper implementation of memory operations. An   unauthenticated, remote attacker can exploit this, via a hostile   XMLRPC server to cause PHP to read from memory outside of allocated   areas.
  (CVE-2019-9024)

  - An out-of-bounds read and write error exists in the mb_split   function due to improper implementation of memory operations. An   unauthenticated, remote attacker can exploit this by causing PHP to   execute the memcpy function with a negative argument, to cause   buffer over-read and over-write conditions which could allow the   attacker to completely compromise the system.
  (CVE-2019-9025)

Detections

Analytics

PHP 7.3.x < 7.3.1 Multiple vulnerabilities.

critical Nessus Plugin ID 121475

Version 1.9

Version 1.8

Version 1.7

Version 1.9 Nov 22, 2024, 4:32 PM Plugin metadata (remove script_exclude_keys for CGI scanning) Plugin Feed: 202411221632
Version 1.8 Jun 25, 2024, 9:36 AM CVSSv2 score source (changed from "CVE-2016-10166" to "CVE-2019-9025") Plugin Feed: 202406250936
Version 1.7 Jun 4, 2024, 12:08 PM Required Scan configuration ("Enable cgi scanning" set to "True") Plugin Feed: 202406041208