CVE-2022-25481
published 2022-03-21CVE-2022-25481: ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters…
PriorityP353high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
4.75%
90.8th percentile
ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the debugging mode.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thinkphp | thinkphp | — | — |
| topthink | framework | 0 – 5.0.24 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Exposure of Resource to Wrong Sphere in ThinkPHP Framework
ghsa·2022-03-22
CVE-2022-25481 [HIGH] CWE-284 Exposure of Resource to Wrong Sphere in ThinkPHP Framework
Exposure of Resource to Wrong Sphere in ThinkPHP Framework
ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php.
OSV
Exposure of Resource to Wrong Sphere in ThinkPHP Framework
osv·2022-03-22
CVE-2022-25481 [HIGH] Exposure of Resource to Wrong Sphere in ThinkPHP Framework
Exposure of Resource to Wrong Sphere in ThinkPHP Framework
ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php.
No detection rules found.
Nuclei
ThinkPHP 5.0.24 - Information Disclosure
nuclei·CVSS 7.5
CVE-2022-25481 [HIGH] ThinkPHP 5.0.24 - Information Disclosure
ThinkPHP 5.0.24 - Information Disclosure
ThinkPHP 5.0.24 is susceptible to information disclosure. This version was configured without the PATHINFO parameter. This can allow an attacker to access all system environment parameters from index.php, thereby possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations.
Template:
id: CVE-2022-25481
info:
name: ThinkPHP 5.0.24 - Information Disclosure
author: caon
severity: high
description: |
ThinkPHP 5.0.24 is susceptible to information disclosure. This version was configured without the PATHINFO parameter. This can allow an attacker to access all system environment parameters from index.php, thereby possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations.
impa
No writeups or analysis indexed.
2022-03-21
Published