Potential Remote Code Execution vulnerability
Package
Affected versions
>= 2.2.0, < 2.2.10
>= 2.3.0, < 2.3.14
>= 2.4.0, < 2.4.16
>= 3.0.0, < 3.0.6
>= 2.0.0, < 2.0.19
>= 2.1.0, < 2.1.13
Patched versions
2.2.10
2.3.14
2.4.16
3.0.6
2.0.19
2.1.13
Description
Reviewed
Oct 1, 2020
Published by the National Vulnerability Database
Oct 1, 2020
Published to the GitHub Advisory Database
Oct 2, 2020
Last updated
Feb 7, 2024
Packages nette/application versions prior to 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette versions prior to 2.0.19 and 2.1.13 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE.
Reported by Cyku Hong from DEVCORE (https://devco.re)
Impact
Code injection, possible remote code execution.
Patches
Fixed in nette/application 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette 2.0.19 and 2.1.13
References