{"id":"BIT-php-min-2024-8926","summary":"PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)","details":"In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for  CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3  may still be bypassed and the same command injection related to Windows \"Best Fit\" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.","aliases":["BIT-libphp-2024-8926","BIT-php-2024-8926","CVE-2024-8926","GHSA-p99j-rfp4-xqvq"],"modified":"2025-11-06T13:25:46.476Z","published":"2025-01-14T19:19:08.416Z","database_specific":{"cpes":["cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"],"severity":"High"},"references":[{"type":"WEB","url":"https://github.com/advisories/GHSA-vxpp-6299-mxw3"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8926"},{"type":"WEB","url":"https://github.com/php/php-src/security/advisories/GHSA-p99j-rfp4-xqvq"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20241101-0003/"}],"affected":[{"package":{"name":"php-min","ecosystem":"Bitnami","purl":"pkg:bitnami/php-min"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"8.1.30"},{"introduced":"8.2.0"},{"fixed":"8.2.24"},{"introduced":"8.3.0"},{"fixed":"8.3.12"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/php-min/BIT-php-min-2024-8926.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}],"schema_version":"1.7.3"}