Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02OXdwLXh3bTctNjl3bc01DA
Exposure of Resource to Wrong Sphere in ThinkPHP Framework
ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php.
Permalink: https://github.com/advisories/GHSA-69wp-xwm7-69wmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02OXdwLXh3bTctNjl3bc01DA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 5 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-69wp-xwm7-69wm, CVE-2022-25481
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25481
- https://github.com/Lyther/VulnDiscover/blob/master/Web/ThinkPHP_InfoLeak.md
- https://github.com/advisories/GHSA-69wp-xwm7-69wm
Blast Radius: 26.3
Affected Packages
packagist:topthink/framework
Dependent packages: 1,372Dependent repositories: 3,236
Downloads: 2,685,485 total
Affected Version Ranges: <= 5.0.24
No known fixed version
All affected versions: 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 5.0.19, 5.0.20, 5.0.21, 5.0.22, 5.0.23, 5.0.24