ALAS2PHP8.2-2024-004 --- phpID: oval:org.secpod.oval:def:1702305 | Date: (C)2024-06-07 (M)2024-06-07 |
Class: PATCH | Family: unix |
The vulnerability allows a remote attacker to bypass implemented security restrictions.The vulnerability exists due to the way PHP handles HTTP variable names. A remote attacker can set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.Note, the vulnerability exists due to incomplete fix for #VU67756 . The vulnerability allows a remote attacker to bypass authentication process.The vulnerability exists due to an error in within the password_verify function, which can erroneously return true. A remote attacker can bypass implemented authentication based on the vulnerable function and gain unauthorized access to the web application