Description

ThinkPHP is an widely used PHP development framework in China.

In ThinkPHP versions <= v5.0.22/5.1.29 the framework processes controller name incorrectly, allowing an attacker to execute any framework function, resulting in a RCE (Remote Code Execution) vulnerability.

Remediation

Upgrade to the latest version of ThinkPHP.

References

ThinkPHP security update

thinkphp 5.x vulnerability

Related Vulnerabilities

WordPress Plugin Plainview Activity Monitor Remote Command Execution (20161228)

Drupal Core 7.x Remote Code Execution (7.0 - 7.58)

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-29214)

WordPress Plugin WP eCommerce Multiple Vulnerabilities (3.8.9.5)

WordPress Plugin iThemes Exchange:Simple WP Ecommerce Remote Code Execution (1.14.0)

Severity

High

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution