Description

On some systems running Minify, an attacker may be able to reveal the contents of arbitrary files. You are strongly advised to follow the instructions below to manually patch your system, and upgrade to Minify 2.1.7 when possible.

On some PHP systems, file system functions accept parameters containing null bytes ("\x00"), but do not handle them correctly. An attacker may be able to use Minify to reveal the contents of any file PHP has access to within the document root, including sensitive configuration files.

Remediation

Upgrade to the latest version of Minify.

References

Serious vulnerability in Minify

Related Vulnerabilities

VMware Horizon Log4Shell RCE

Joomla! Core 1.5.x Information Disclosure (1.5.0 - 1.5.12)

Joomla! Core 1.7.x Information Disclosure (1.7.0 - 1.7.4)

ColdFusion path disclosures

Joe Editor DEADJOE file

Severity

High

Classification

CVE-2013-6619 CWE-538 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure