GCVE - cpe:2.3:a:php:php:5.3.25:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:php:php:5.3.25:*:*:*:*:*:*:*

part: a version: 5.3.25 update: *

Vendor	Php (`9aec2613-7a27-5ce5-8ac7-140851d8da4c`)
Product	Php (`38640b93-5029-5cca-a025-ab7d01c98b51`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/php/php-src`	purl2cpe	2026-06-01 10:17:42.460701

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2016-7478`	vulnerable	2026-06-03 14:36:07.909248	Details available Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876. Published: 2017-01-11T06:02:00.000Z Updated: 2024-08-06T01:57:47.681Z Open on db.gcve.eu Reference links http://blog.checkpoint.com/wp-content/uploads/2016/12/PHP_Technical_Report.pdf http://www.securityfocus.com/bid/95150 https://www.youtube.com/watch?v=LDcaPstAuPk https://security.netapp.com/advisory/ntap-20180112-0001/ http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-9427`	vulnerable	2026-06-03 14:34:26.929088	Details available sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping. Published: 2015-01-03T02:00:00.000Z Updated: 2024-08-06T13:47:41.005Z Open on db.gcve.eu Reference links https://bugs.php.net/bug.php?id=68618 http://www.mandriva.com/security/advisories?name=MDVSA-2015:032 http://marc.info/?l=bugtraq&m=144050155601375&w=2 http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00029.html http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-6420`	vulnerable	2026-06-03 14:33:26.181213	Details available The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function. Published: 2013-12-17T02:00:00.000Z Updated: 2024-08-06T17:39:01.267Z Open on db.gcve.eu Reference links http://www.debian.org/security/2013/dsa-2816 http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=c1224573c773b6845e83505f717fbf820fc18415 http://rhn.redhat.com/errata/RHSA-2013-1824.html https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322 http://lists.opensuse.org/opensuse-updates/2013-12/msg00126.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-4248`	vulnerable	2026-06-03 14:33:10.584778	Details available The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Published: 2013-08-18T01:00:00.000Z Updated: 2024-08-06T16:38:01.539Z Open on db.gcve.eu Reference links http://secunia.com/advisories/54657 http://www.debian.org/security/2013/dsa-2742 http://lists.opensuse.org/opensuse-updates/2013-12/msg00126.html http://www.securityfocus.com/bid/61776 http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=2874696a5a8d46639d261571f915c493cd875897	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-1171`	vulnerable	2026-06-03 14:31:41.825672	Details available The libxml RSHUTDOWN function in PHP 5.x allows remote attackers to bypass the open_basedir protection mechanism and read arbitrary files via vectors involving a stream_close method call during use of a custom stream wrapper. Published: 2014-02-15T11:00:00.000Z Updated: 2024-08-06T18:53:35.647Z Open on db.gcve.eu Reference links https://bugzilla.redhat.com/show_bug.cgi?id=802591 https://github.com/php/php-src/blob/master/ext/libxml/tests/bug61367-write.phpt https://bugs.php.net/bug.php?id=61367 https://github.com/php/php-src/blob/master/ext/libxml/tests/bug61367-read.phpt	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2011-4718`	vulnerable	2026-06-03 14:31:26.151246	Details available Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. Published: 2013-08-13T01:00:00.000Z Updated: 2024-09-16T18:44:19.435Z Open on db.gcve.eu Reference links http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=25e8fcc88fa20dc9d4c47184471003f436927cde https://wiki.php.net/rfc/strict_sessions https://bugs.php.net/bug.php?id=60491 http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=169b78eb79b0e080b67f9798708eb3771c6d0b2f	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.