Описание
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318.
Ссылки
- Patch
- Third Party Advisory
- Patch
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 5.7.1 (исключая)
cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*
EPSS
Процентиль: 1%
0.00011
Низкий
8.8 High
CVSS3
6.5 Medium
CVSS2
Дефекты
CWE-502
Связанные уязвимости
EPSS
Процентиль: 1%
0.00011
Низкий
8.8 High
CVSS3
6.5 Medium
CVSS2
Дефекты
CWE-502