Vulnerabilities > CVE-2022-25481 - Exposure of Resource to Wrong Sphere vulnerability in Thinkphp 5.0.24

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

thinkphp

CWE-668

NVD

Published: 2022-03-21

Updated: 2024-08-03

Summary

ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the debugging mode.

Vulnerable Configurations

Part	Description	Count
Application	Thinkphp Thinkphp Thinkphp 5.0.24	1

Common Weakness Enumeration (CWE)

CWE-668 - Exposure of Resource to Wrong Sphere

References

https://github.com/Lyther/VulnDiscover/blob/master/Web/ThinkPHP_InfoLeak.md