The vulnerability allows a remote attacker to bypass implemented security restrictions.The vulnerability exists due to the way PHP handles HTTP variable names. A remote attacker can set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.Note, the vulnerability exists due to incomplete fix for #VU67756 . The vulnerability allows a remote attacker to bypass authentication process.The vulnerability exists due to an error in within the password_verify function, which can erroneously return true. A remote attacker can bypass implemented authentication based on the vulnerable function and gain unauthorized access to the web application