CVE-2024-4577#
Statement on CVE-2024-4577 PHP Zero-day#
August 22, 2024
Information#
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use “Best-Fit” behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Severity#
Medium
Response#
The wiki has been updated
From |
To |
|---|---|
Media Wiki – 1.37.2 |
Media Wiki – 1.42.1 |
PHP – 8.0.3 |
PHP – 8.3.10 |
Which are the latest versions of both.
PHP 8.3.10 is not affected by CVE-2024-4577
If you have any additional questions, please contact Melissa’s Compliance department at Compliance@melissa.com.