CVE-2022-31629
CVE-2022-31629 php: standard insecure cookie could be treated as a `__Host-` or `__Secure-` cookie by PHP applications
Publication Date | 2022-09-29 |
---|---|
Severity | Critical |
Type | Cross-Site Request Forgery |
Affected PHP Versions |
|
Fixed Product Versions |
|
CVE Details
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a __Host-
or __Secure-
cookie by PHP applications.
Recommendations
If you use same-site cookies, and are on PHP versions prior to 7.4.31, 8.0 versions prior to 8.0.24, or 8.1 versions prior to 8.1.11, you should update to a patched or newer version of PHP.