CVE-2024-2756 | Zend by Perforce

Host/Secure cookie bypass due to partial CVE-2022-31629 fix

Publication Date	2024-04-12
Severity	Moderate
Type	Cross-Site Request Forgery
Affected PHP Versions	7.4.0 - 7.4.33 8.0.0 - 8.0.30 8.1.0 - 8.1.27 8.2.0 - 8.2.17 8.3.0 - 8.3.5
Fixed Product Versions	ZendPHP 7.3 ZendPHP 7.4 ZendPHP 8.0 ZendPHP 8.1 ZendPHP 8.2 ZendPHP 8.3

CVE Details

Due to an incomplete fix for CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser, which is then treated as a __Host- or __Secure- cookie by PHP applications.

Recommendations

If you use Same-Site cookies, we recommend updating to a patched version of PHP.

< View all CVEs