Description

On some systems running Minify, an attacker may be able to reveal the contents of arbitrary files. You are strongly advised to follow the instructions below to manually patch your system, and upgrade to Minify 2.1.7 when possible.

On some PHP systems, file system functions accept parameters containing null bytes ("\x00"), but do not handle them correctly. An attacker may be able to use Minify to reveal the contents of any file PHP has access to within the document root, including sensitive configuration files.

Remediation

Upgrade to the latest version of Minify.

References

Serious vulnerability in Minify

Related Vulnerabilities

WordPress Plugin Easy Contact Forms Export 'file' Parameter Information Disclosure (1.1.0)

Lucee Stacktrace Information Disclosure

WordPress Plugin MiwoFTP-File & Folder Manager Arbitrary File Download (1.0.5)

Generic Email Address Disclosure

WordPress Plugin Welcart e-Commerce Information Disclosure (2.2.7)

Severity

High

Classification

CVE-2013-6619 CWE-538 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure