NIST released a notification of a new PHP vulnerability CVE-2024-4577.

• App Control Server: 8.10.4 and lower
• Microsoft Windows: All Supported Versions
• PHP: versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8

• When using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions.
• PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

• App Control Server does not use Apache, and thus is not exposed to this vulnerability.
• Upgrading to Server version 8.11.0 will update PHP to version 8.3.14 to satisfy vulnerability scanners.

• Subscribe to Product Update Notifications to be alerted when a new Server Release is available.
• Do not attempt to update the PHP Library or make any modifications to the PHP Library used by App Control. Doing so will cause issues accessing the Console.