Description
On some systems running Minify, an attacker may be able to reveal the contents of
arbitrary files. You are strongly advised to follow the instructions below to manually
patch your system, and upgrade to Minify 2.1.7 when possible.
On some PHP systems, file system functions accept parameters containing null bytes
("\x00"), but do not handle them correctly. An attacker may be able to use Minify to reveal the contents of any file PHP has access to within the document root, including sensitive configuration files.
Remediation
Upgrade to the latest version of Minify.
References
Related Vulnerabilities
WordPress Plugin Direct Download for Woocommerce Arbitrary File Download (1.15)
Citrix ADC NetScaler Local File Inclusion (CVE-2020-8193)
WordPress Plugin Recent Backups Arbitrary File Download (0.7)
WordPress Plugin All-in-One WP Migration Information Disclosure (7.0)
WordPress Plugin Google Doc Embedder Arbitrary File Disclosure (2.4.6)