Description

On some systems running Minify, an attacker may be able to reveal the contents of arbitrary files. You are strongly advised to follow the instructions below to manually patch your system, and upgrade to Minify 2.1.7 when possible.

On some PHP systems, file system functions accept parameters containing null bytes ("\x00"), but do not handle them correctly. An attacker may be able to use Minify to reveal the contents of any file PHP has access to within the document root, including sensitive configuration files.

Remediation

Upgrade to the latest version of Minify.

References

Serious vulnerability in Minify

Related Vulnerabilities

WordPress Plugin WP Attachment Export Arbitrary File Download (0.2.3)

Drupal Core 8.x.x Information Disclosure (8.0.0 - 8.7.14)

WordPress Plugin Simple Download Button Shortcode 'file' Parameter Information Disclosure (1.0)

SAP NetWeaver server info information disclosure BCB

Unrestricted access to NGINX+ API interface (read only)

Severity

High

Classification

CVE-2013-6619 CWE-538 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure