Description
PHP, when installed on Windows with Apache and ScriptAlias for /php/ set to c:/php/, allows remote attackers to read arbitrary files and possibly execute arbitrary programs via an HTTP request for php.exe with a filename in the query string.
Remediation
References
Related Vulnerabilities
TYPO3 Cleartext Storage of Sensitive Information Vulnerability (CVE-2020-26228)
WordPress Plugin Agent Storm by StormRETS Multiple Cross-Site Scripting Vulnerabilities (1.1.35)
Plone CMS URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2017-1000481)
WordPress Plugin SEO SQUIRRLY Multiple Unspecified Vulnerabilities (6.1.4)