CVE-2020-15227 – nette/application

Package

Manager: composer
Name: nette/application
Vulnerable Version: >=2.2.0 <2.2.10 || >=2.3.0 <2.3.14 || >=2.4.0 <2.4.16 || >=3.0.0 <3.0.6 || >=2.0.0 <2.0.19 || >=2.1.0 <2.1.13

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.93528 pctl0.99824

Details

Potential Remote Code Execution vulnerability Packages nette/application versions prior to 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette versions prior to 2.0.19 and 2.1.13 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Reported by Cyku Hong from DEVCORE (https://devco.re) ### Impact Code injection, possible remote code execution. ### Patches Fixed in nette/application 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette 2.0.19 and 2.1.13

Metadata

Created: 2020-10-02T16:22:19Z
Modified: 2021-11-19T15:12:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-8gv3-3j7f-wg94/GHSA-8gv3-3j7f-wg94.json
CWE IDs: ["CWE-74", "CWE-94"]
Alternative ID: GHSA-8gv3-3j7f-wg94
Finding: F184
Auto approve: 1