PHP
CVE-2024-28864
LOW
Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Primary rating from Vendor (github) · only source for this CVE.
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. A vulnerability in SecureProps version 1.2.0 and 1.2.1 involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data has been encoded with NullEncoder and passed to TagAwareCipher, and contains special characters such as \n. As a result, the decryption process is skipped since the tags are not detected. This causes the encrypted data to be returned in plain format. The vulnerability affects users who implement TagAwareCipher with any base cipher that has NullEncoder (not default). The patch for the issue has been released. Users are advised to update to version 1.2.2. As a workaround, one may use the default Base64Encoder with the base cipher decorated with TagAwareCipher to prevent special characters in the encrypted string from interfering with regex tag detection logic. This workaround is safe but may involve double encoding since TagAwareCipher uses NullEncoder by default.
AnalysisAI
SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-1333. SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. A vulnerability in SecureProps version 1.2.0 and 1.2.1 involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data has been encoded with NullEncoder and passed to TagAwareCipher, and contains special characters such as \n. As a result, the decryption process is skipped since the tags are not detected. This causes the encrypted data to be returned in plain format. The vulnerability affects users who implement TagAwareCipher with any base cipher that has NullEncoder (not default). The patch for the issue has been released. Users are advised to update to version 1.2.2. As a workaround, one may use the default Base64Encoder with the base cipher decorated with TagAwareCipher to prevent special characters in the encrypted string from interfering with regex tag detection logic. This workaround is safe but may involve double encoding since TagAwareCipher uses NullEncoder by default. Affected products include: Ilicmiljan Secureprops. Version information: version 1.2.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today