CVE-2024-28864

Summary

CVE-2024-28864 is a vulnerability in the SecureProps PHP library versions 1.2.0 and 1.2.1. The vulnerability occurs when decrypting encrypted data that has been encoded with NullEncoder and passed to TagAwareCipher, causing the regex to fail in detecting tags. This results in the decryption process being skipped and the encrypted data being returned in plain format. Users who implement TagAwareCipher with any base cipher that has NullEncoder are affected. The issue has been patched in version 1.2.2, and users are advised to update to this version. As a workaround, users may use the default Base64Encoder with the base cipher decorated with TagAwareCipher to prevent special characters from interfering with regex tag detection logic. The vulnerability poses a low risk with low privileges required, user interaction required, and network attack vector, resulting in low confidentiality impact but no integrity or availability impacts identified.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.