Description

Packages nette/application versions prior to 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette versions prior to 2.0.19 and 2.1.13 are vulnerable to an PHP code injection attack by passing specially formed parameters to URL that may possibly leading to remote code execution (RCE).

Remediation

Upgrade to the latest version of nette/application and/or nette/nette.

References

Potential Remote Code Execution vulnerability

Related Vulnerabilities

WordPress Plugin Newsletter Subscription Form Possible Remote Code Execution (1.1.2)

Drupal Core 8.9.0 Remote Code Execution (8.9.0)

Moveable Type 4.x unauthenticated remote command execution

WordPress Plugin BJ Lazy Load Remote Code Execution (0.7.5)

Lotus Notes formula injection

Severity

High

Classification

CVE-2020-15227 CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution