CVE-2019-11049
mail() may release string with refcount==1 twice
In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.
We have discovered 378,377 live websites that are affected by CVE-2019-11049.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 507 |
| Vulnerable Domains | 378,377 live websites (3.13% of PHP install base) |
Distribution by Website Rank
The diagram provides a graphic representation of the correlation between the occurrence of CVE-2019-11049 and the relative popularity of websitesDetails
- Published - Dec 17, 2019
- Updated - Jul 23, 2021
Credits
- Submitted by Christoph M. Becker
CWE
CVE References
CWE References
Countries
 United States | 84,660 websites |
 France | 202,788 websites |
 Belgium | 9,251 websites |
 Poland | 8,010 websites |
 Russia | 7,544 websites |
 Italy | 7,377 websites |
 China | 6,570 websites |
 Spain | 6,013 websites |
 Germany | 5,427 websites |
 Canada | 4,916 websites |
TLDs
| .com | 175,566 websites |
| .fr | 91,017 websites |
| .org | 17,434 websites |
| .net | 10,642 websites |
| .be | 10,428 websites |
| .ru | 6,733 websites |
| .pl | 6,398 websites |
| .it | 5,724 websites |
| .eu | 4,079 websites |
| .es | 3,532 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redGeographical Distribution
The distribution of websites across the globe that are exposed to CVE-2019-11049 through included software libraries and plugins.References
- https://bugs.php.net/bug.php?id=78943
- https://security.netapp.com/advisory/ntap-20200103-0002/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/
- https://seclists.org/bugtraq/2020/Feb/27
- https://www.debian.org/security/2020/dsa-4626
- https://www.tenable.com/security/tns-2021-14
Websites affected by CVE-2019-11049
Top websites that are affected by CVE-2019-11049. Please click on the "Contact us" button above to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.com | France | *,*** | |
| **********.com | France | *,*** | |
| ************.org | France | *,*** | |
| ***.******.com | France | *,*** | |
| *************.com |  GB | *,*** | |
| ***.***********.com | GB | **,*** | |
| ******.****.ru | Russia | **,*** | |
| *******.**.kr |  Korea, South | **,*** | |
| *******************.com | United States | **,*** | |
| **************.com | United States | **,*** |