CVE-2024-11234
Configuring a proxy in a stream context might allow for CRLF injection in URIsIn PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, when using streams with configured proxy and "request_fulluri" option, the URI is not properly sanitized which can lead to HTTP request smuggling and allow the attacker to use the proxy to perform arbitrary HTTP requests originating from the server, thus potentially gaining access to resources not normally available to the external user.
We have discovered 757,683 live websites that are affected by CVE-2024-11234.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Domains | 757,683 live websites (8.68% of PHP install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 71 versions ( 12.98% of all versions) |
Common Weakness Enumeration
CWE-20 Improper Input ValidationDetails
- Published - Nov 24, 2024
- Updated - Nov 24, 2024
Credits
- Lorenzo Leonardini (reporter)
CWE
CVE References
CWE References
CVE-2024-11234 usage by Country
 United States | 178,746 websites |
 Cyprus | 91,227 websites |
 France | 85,693 websites |
 Germany | 74,042 websites |
 Russia | 53,196 websites |
 Sweden | 51,528 websites |
 Netherlands | 48,994 websites |
 GB | 20,395 websites |
 Japan | 14,257 websites |
 Australia | 11,284 websites |
CVE-2024-11234 usage by TLD
| .com | 263,806 websites |
| .ru | 47,947 websites |
| .nl | 44,983 websites |
| .se | 36,058 websites |
| .fr | 33,719 websites |
| .org | 27,691 websites |
| .com.br | 21,432 websites |
| .de | 19,744 websites |
| .net | 19,593 websites |
| .co.uk | 15,779 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-11234
Top websites that are affected by CVE-2024-11234. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.com | United States | *** | |
| ******.com | United States | *,*** | |
| *****.cz |  Czech Republic | *,*** | |
| ********.********.it |  Italy | *,*** | |
| ***********.de | Germany | *,*** | |
| ***.com | United States | *,*** | |
| ********.com | United States | *,*** | |
| *******.com | Germany | *,*** | |
| ******.com | United States | *,*** | |
| ****.com |  China | *,*** |
FAQ
CVE-2024-11234 is Improper Input Validation in PHP
A total of 757,683 websites have been identified as vulnerable to CVE-2024-11234, discovered through global website indexing conducted by WebTechSurvey.
PHP is susceptible to CVE-2024-11234 vulnerability.
PHP versions before 8.3.14 are vulnerable to CVE-2024-11234.
Version 8.3.14 of PHP addresses the CVE-2024-11234 security vulnerability.