PatchSiren cyber security CVE debrief
CVE-2019-11048 Festo Didactic SE CVE debrief
CVE-2019-11048 is a denial-of-service issue in affected PHP versions when HTTP file uploads are enabled. Oversized filenames or field names can push the PHP engine toward excessive memory allocation, hit the memory limit, and abort request processing without cleaning up temporary upload files. Over time, that can accumulate leftover files and exhaust disk space on the target system. The official advisory in this corpus ties the issue to Festo Didactic SE MES PC deployments and points users to vendor-provided replacement software and fixed PHP versions.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Administrators and operators of Festo Didactic SE MES PC environments, and any PHP-based service that accepts HTTP file uploads on affected PHP 7.2.x, 7.3.x, or 7.4.x releases. Systems with constrained temporary storage or exposed upload endpoints deserve the most attention.
Technical summary
According to the advisory text, PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18, and 7.4.x below 7.4.6 can mishandle overly long upload filenames or field names when file uploads are allowed. The engine may attempt to allocate oversized memory storage, hit the memory limit, and stop processing the request without cleaning up temporary files created during the upload. The practical impact is availability-focused: repeated failures can leave temp files behind until disk space is exhausted.
Defensive priority
Medium. Prioritize if the affected PHP component is present on production or internet-facing systems, especially where file uploads are enabled and temporary storage is limited. If uploads are disabled or the affected PHP versions are not in use, urgency is lower.
Recommended defensive actions
- Confirm whether MES PC deployments or related services use affected PHP versions and whether HTTP file uploads are enabled.
- Upgrade to the fixed PHP releases referenced in the advisory: 7.2.31, 7.3.18, or 7.4.6 and later.
- If applicable, obtain the current Factory Control Panel version from Festo technical support as described in the advisory.
- Review upload endpoints for unnecessary exposure and limit or disable file upload functionality where it is not required.
- Monitor temporary upload directories and disk utilization for abnormal growth after failed upload requests.
- Apply storage and housekeeping controls so temporary files are cleaned up promptly if a request aborts.
- Validate that any vendor replacement or updated component is deployed consistently across affected MES PC systems.
Evidence notes
This debrief is grounded in the provided CISA CSAF advisory text, which states the PHP version ranges, the upload-triggered memory exhaustion behavior, and the risk of uncleaned temporary files leading to disk exhaustion. The source corpus also includes official CVE and NVD records plus the CISA advisory reference set. No exploit code or offensive reproduction steps are included.
Official resources
-
CVE-2019-11048 CVE record
CVE.org
-
CVE-2019-11048 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
The provided CISA CSAF advisory was initially published on 2024-02-27 and later updated/republished on 2026-01-27. This debrief uses that advisory timeline for context while describing the older CVE-2019-11048 record. The content is limited