[SA-0008] Critical PHP Vulnerability lets attackers inject commands

Hi Everyone,

Sippy Software has been informed regarding a critical PHP vulnerability that allows attackers to inject commands.  This allows for command injection, cookie bypass, account take overs and denial of service types of attack to your system.  An update is ready for Sippy 2022 that contains a patched version of PHP.  Customers on Sippy 2021 and older are advised to upgrade to the latest Sippy 2022 as the older versions of our software cannot support the newer version of PHP.  In the interim we strongly suggest to ensure your firewall policies are in place limiting access to your soft switch from unknown IP addresses.

Critical PHP Vulnerabilities

According to the reports shared with Cyber Security News, these vulnerabilities affect all versions prior to 8.3.5, 8.2.18, 8.1.28, and 8.1.11.

The vulnerabilities identified are as follows:

  • Command Injection (CVE-2024-1874).
  • Cookie Bypass is due to an insufficient fix of CVE-2022-31629 (CVE-2024-2756).
  • Null byte acceptance leading to Account TakeOver (CVE-2024-3096).
  • Denial of Service (CVE-2024-2757).

For more information please refer to the following article


Login or Signup to post a comment