NIST released a notification of a new PHP vulnerability CVE-2024-4577.

• App Control Server: All Supported Versions
• Microsoft Windows: All Supported Versions
• PHP: versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8

When using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

App Control Server does not use Apache, and thus is not exposed to this vulnerability.

• Libraries (such as PHP) are updated with each Server Release.
• Subscribe to Product Update Notifications to be alerted when a new Server Release is available.
• Do not attempt to update the PHP Library or make any modifications to the PHP Library used by App Control. Doing so will cause issues accessing the Console.