CVE-2022-25481 – topthink/framework

Package

Manager: composer
Name: topthink/framework
Vulnerable Version: >=0 <=5.0.24

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.43981 pctl0.97456

Details

Exposure of Resource to Wrong Sphere in ThinkPHP Framework ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php.

Metadata

Created: 2022-03-22T00:00:43Z
Modified: 2022-04-01T13:50:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-69wp-xwm7-69wm/GHSA-69wp-xwm7-69wm.json
CWE IDs: ["CWE-284", "CWE-668"]
Alternative ID: GHSA-69wp-xwm7-69wm
Finding: F039
Auto approve: 1