Description

Packages nette/application versions prior to 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette versions prior to 2.0.19 and 2.1.13 are vulnerable to an PHP code injection attack by passing specially formed parameters to URL that may possibly leading to remote code execution (RCE).

Remediation

Upgrade to the latest version of nette/application and/or nette/nette.

References

Potential Remote Code Execution vulnerability

Related Vulnerabilities

Elasticsearch remote code execution

WordPress Plugin WordPress Landing Pages Remote Code Execution (1.9.0)

Ektron CMS multiple vulnerabilities

OpenX arbitrary file upload

WordPress Plugin ThemeREX Addons Remote Code Execution (All)

Severity

High

Classification

CVE-2020-15227 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution