The developer of the PHP (Hypertext Preprocessor) server-side scripting language has issued a series of updates that fix 40 vulnerabilities spread across four different versions -- the most serious of which was severe enough to allow an attacker to execute arbitrary code within the context of an affected application.
According to an advisory late last week from the Multi-State Information Sharing & Analysis Center (MS-ISAC), the most dangerous bug can be exploited to "view, change, or delete data; or create new accounts with full user rights," depending upon user privileges associated with the impacted application. Moreover, a failed exploitation can result in a denial-of-service (DOS) condition.
The affected versions are PHP 7.2 prior to 7.2.5 (18 bugs), PHP 7.1 prior to 7.1.17 (14 bugs), PHP 7.0 prior to 7.0.30 (four bugs), and PHP 5.0 prior to 5.6.36 (four bugs).
The MS-ISAC warns that the risk to both government and business users is high, and advises that organizations immediately upgrade to the latest patched version of PHP, but only after conducting appropriate testing and verifying that no unauthorized system modifications previously occurred on the system.