GHSA-69wp-xwm7-69wm

Suggest an improvement
Source
https://github.com/advisories/GHSA-69wp-xwm7-69wm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-69wp-xwm7-69wm/GHSA-69wp-xwm7-69wm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-69wp-xwm7-69wm
Aliases
Published
2022-03-22T00:00:43Z
Modified
2024-07-03T21:21:33.786567Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Exposure of Resource to Wrong Sphere in ThinkPHP Framework
Details

ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php.

References

Affected packages

Packagist / topthink/framework

Package

Name
topthink/framework
Purl
pkg:composer/topthink/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
5.0.24

Affected versions

5.*

5.0-rc1
5.0-rc2
5.0-rc3
5.0-rc4
5.0

v5.*

v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v5.0.10
v5.0.11
v5.0.12
v5.0.13
v5.0.14
v5.0.15
v5.0.16
v5.0.17
v5.0.18
v5.0.19
v5.0.20
v5.0.21
v5.0.22
v5.0.23
v5.0.24