CVE-2024-5585 Information

Description

In PHP versions 8.1. before 8.1.29 8.2. before 8.2.20 8.3. before 8.3.8 the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax due to insufficient escaping if the arguments of the executed command are controlled by a malicious user the user can supply arguments that would execute arbitrary commands in Windows shell.

Reference

https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385