Description

ThinkPHP is an widely used PHP development framework in China.

In ThinkPHP versions <= v5.0.22/5.1.29 the framework processes controller name incorrectly, allowing an attacker to execute any framework function, resulting in a RCE (Remote Code Execution) vulnerability.

Remediation

Upgrade to the latest version of ThinkPHP.

References

ThinkPHP security update

thinkphp 5.x vulnerability

Related Vulnerabilities

Code Evaluation (Apache Struts) S2-046

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-35152)

WordPress Plugin Secure File Manager Remote Code Execution (2.8.1)

WordPress Plugin File Manager Remote Code Execution (4.5)

Apache OFBiz RCE (CVE-2024-32113)

Severity

High

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution