Two more security vulnerabilities have been discovered in the PHP programming language.

According to Security Online , two new vulnerabilities in PHP have been discovered and assigned the identifiers CVE-2023-3823 and CVE-2023-3824. The CVE-2023-3823 vulnerability, with a CVSS index of 8.6, is an information disclosure vulnerability that allows remote attackers to obtain sensitive information from PHP applications.

This vulnerability stems from incomplete validation of user-provided XML input. An attacker can exploit it by sending a specially crafted XML file to the application. The application will then parse the code, allowing the attacker to access sensitive information, such as the contents of system files or the results of external requests.

The danger lies in the fact that any application, library, or server that parses or interacts with XML documents is vulnerable to this flaw.

Meanwhile, vulnerability CVE-2023-3824 is a buffer overflow vulnerability with a CVSS score of 9.4, allowing a remote attacker to execute arbitrary code on a PHP-based system. This vulnerability is caused by a PHP function improperly checking limits. An attacker can exploit it by sending a special request to the application, thereby causing a buffer overflow and gaining control of the system to execute arbitrary code.

Because of this danger, users are advised to update their systems to PHP version 8.0.30 as soon as possible. In addition, they should also take steps to protect PHP applications from attacks, such as authenticating all user input and using a web application firewall (WAF).