Nette Plugins Remote Command Execution On Laravel

2023.10.03

Mr.Fn4ticHz (ID)

Risk: High

Local: No

Remote: Yes

CVE: CVE-2020-15227

CWE: CWE-74

Packages nette/application versions prior to 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette versions prior to 2.0.19 and 2.1.13 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE.

Example:
https://domain.com/nette.micro/?callback=shell_exec&cmd=cat%20/etc/passwd&what=-1

Impact:
Code injection, possible remote code execution.

Patches:
Fixed in nette/application 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette 2.0.19 and 2.1.13

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Nette Plugins Remote Command Execution On Laravel

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.