{"id":"CVE-2024-2756","details":"Due to an incomplete fix to  CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.","aliases":["BIT-libphp-2024-2756","BIT-php-2024-2756","BIT-php-min-2024-2756"],"modified":"2026-03-15T14:50:44.713284Z","published":"2024-04-29T04:15:07.890Z","related":["ALSA-2024:10949","ALSA-2024:10950","ALSA-2024:10951","ALSA-2024:10952","GHSA-wpj3-hf5j-x4v4","MGASA-2024-0132","SUSE-SU-2024:1444-1","SUSE-SU-2024:1445-1","SUSE-SU-2024:1446-1","SUSE-SU-2024:2037-1"],"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/04/12/11"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/05/msg00005.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/"},{"type":"ADVISORY","url":"https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240510-0008/"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-2756.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}