Cybersecurity specialists reported the finding of two critical vulnerabilities in PHP, the popular programming language used primarily for web development. Successful exploitation of these flaws would allow threat actors to access potentially confidential information.

Below is a brief summary of the reported flaws, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2020-7070: The way the PHP parser handles cookies as a percentage (‘%’) allows remote threat actors to send an HTTP request designed with a cookie ‘__% 48ost-‘ or ‘__% 53ecure-‘ that will be processed before other cookies are sent in the same request.

Malicious hackers will be able to set a malicious ‘__Host-‘ cookie on a compromised subdomain, dodging the restrictions imposed by the browser. The flaw received a score of 5.7/10 and its exploitation would allow hackers to perform impersonation attacks online.

CVE-2020-7069: This flaw exists because the openssl_encrypt() function generates incorrect ciphertext and an incorrect label for AES-CCM for a 12-byte IV, so a 7-byte nonce is used instead of 12 bytes.

Remote threat actors can abuse that behavior and decrypt data that passes through a website. The flaw received a score of 4.6/10.

According to the report, the vulnerabilities reside in the following versions of PHP: 7.2, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.2.11, 7.2.12, 7.2.13, 7.2.14, 7.2.15, 7.2.16, 7.2.17, 7.2.18, 7.2.19, 7.2.20, 7.2.21, 7.2.22, 7.2.23, 7.2.24, 7.2.25, 7.2.26, 7.2.27, 7.2.28, 7.2.29, 7.2.30, 7.2.31, 7.2.32, 7.2.33, 7.3, 7.3.0, 7.3.0alpha1, 7.3.0alpha4, 7.3.0beta1, 7.3.0beta3, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 7.3.10, 7.3.11, 7.3.12, 7.3.13, 7.3.14, 7.3.15, 7.3.16, 7.3.17, 7.3.18, 7.3.19, 7.3.20, 7.3.21, 7.3.22, 7.4, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.4.5, 7.4.6, 7.4.7, 7.4.8, 7.4.9, 7.4.10.

While vulnerabilities can be run remotely by unauthenticated threat actors, attempts at active exploitation or some variant of malware related to the attack have not yet been detected. Updates are now ready, so we recommend that you install the patches as soon as possible.