CVE-2024-2756 | Zend by Perforce

Host/Secure cookie bypass due to partial CVE-2022-31629 -5955')) ORDER BY 1-- seus

Publication Date	2024-04-12
Severity	Low
Type	Cross-Site Request Forgery
Affected PHP Versions	7.4.0 - 7.4.33 8.0.0 - 8.0.30 8.1.0 - 8.1.27 8.2.0 - 8.2.17 8.3.0 - 8.3.5
Fixed Product Versions	ZendPHP 7.3 ZendPHP 7.4 ZendPHP 8.0 ZendPHP 8.1 ZendPHP 8.2 ZendPHP 8.3 ZendServer 2019.1.6 ZendServer 2021.3.4

CVE Details

Due to an incomplete fix for CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser, which is then treated as a __Host- or __Secure- cookie by PHP applications.

Recommendations

If you use Same-Site cookies, we recommend updating to a patched version of PHP.

< View all CVEs