CVE-2024-1874 Information

Description

In PHP versions 8.1. before 8.1.28 8.2. before 8.2.18 8.3. before 8.3.5 when using proc_open() command with array syntax due to insufficient escaping if the arguments of the executed command are controlled by a malicious user the user can supply arguments that would execute arbitrary commands in Windows shell. 

Reference

https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7