CVE-2018-19246 – athlon1600/php-proxy

Package

Manager: composer
Name: athlon1600/php-proxy
Vulnerable Version: >=0 <=5.1.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.46946 pctl0.97587

Details

LFI in PHP-Proxy 5.1.0 PHP-Proxy 5.1.0 allows remote attackers to read local files if the default "pre-installed version" (intended for users who lack shell access to their web server) is used. This occurs because the `aeb067ca0aa9a3193dce3a7264c90187` app_key value from the default config.php is in place, and this value can be easily used to calculate the authorization data needed for local file inclusion.

Metadata

Created: 2022-05-14T01:48:51Z
Modified: 2023-07-07T00:47:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pc5h-m95g-v6rh/GHSA-pc5h-m95g-v6rh.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-pc5h-m95g-v6rh
Finding: F308
Auto approve: 1