CVE-2022-25481

Опубликовано: 21 мар. 2022

Источник: nvd

CVSS3: 7.5

CVSS3: 4

CVSS2: 5

EPSS Средний

Описание

ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the debugging mode.

Ссылки

https://github.com/Lyther/VulnDiscover/blob/master/Web/ThinkPHP_InfoLeak.md
Exploit
Third Party Advisory
https://github.com/Lyther/VulnDiscover/blob/master/Web/ThinkPHP_InfoLeak.md
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:thinkphp:thinkphp:5.0.24:*:*:*:*:*:*:*

EPSS

Процентиль: 95%

0.20316

Средний

7.5 High

CVSS3

4 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-668

CWE-284

Связанные уязвимости

GHSA-69wp-xwm7-69wm

CVSS3: 7.5

github

почти 4 года назад

Exposure of Resource to Wrong Sphere in ThinkPHP Framework

EPSS

Процентиль: 95%

0.20316

Средний

7.5 High

CVSS3

4 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-668

CWE-284