GHSA-26hp-cgjj-m2j3 – fuel/core

Package

Manager: composer
Name: fuel/core
Vulnerable Version: >=0 <1.8.0.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

fuel/core ImageMagick driver does not escape all shell arguments. This vulnerability may cause OS commands to be executed when you pass unvalidated image filenames containing specially crafted strings to the ImageMagick driver.

Metadata

Created: 2024-05-15T21:44:46Z
Modified: 2024-05-15T21:44:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-26hp-cgjj-m2j3/GHSA-26hp-cgjj-m2j3.json
CWE IDs: ["CWE-78"]
Alternative ID: N/A
Finding: F404
Auto approve: 1