CVE-2024-2756

MEDIUM

PHP 8.1.* < 8.1.28, 8.2.* < 8.2.18, 8.3.* < 8.3.5 - Cookie Prefix Spoofing via Insecure Cookie Handling

Title source: llm

Description

Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.

References (6)

Core 6

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/

Vendor Advisory

https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240510-0008/

Mailing List

http://www.openwall.com/lists/oss-security/2024/04/12/11

Scores

CVSS v3 6.5

EPSS 0.3786

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (3)

PHP Group/PHP 8.1.* - 8.1.28

PHP Group/PHP 8.2.* - 8.2.18

PHP Group/PHP 8.3.* - 8.3.5

Published Apr 29, 2024

Tracked Since Feb 18, 2026