Nette Product Security Update Advisory (CVE-2020-15227)
Overview
PHP/Composer MVC Framework has released an update to address a vulnerability in their products. Users of affected versions are advised to update to the latest version.
Affected Products
CVE-2020-15227
- Nette/nette versions: 2.0.0 (inclusive) ~ 2.0.19 (excluded)
- Nette/nette versions: 2.1.0 (inclusive) ~ 2.1.13 (excluded)
- Nette/application version: 2.2.0 (inclusive) ~ 2.2.10 (excluded)
- Nette/application version: 2.3.0 (inclusive) ~ 2.3.14 (excluded)
- Nette/application version: 2.4.0 (inclusive) ~ 2.4.16 (excluded)
- Nette/application versions: 3.0.0 (inclusive) ~ 3.0.6 (excluded)
Resolved Vulnerabilities
Code injection vulnerability that could lead to an RCE when passing a specially crafted parameter to a URL
Vulnerability Patches
Vulnerability Patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2020-15227
- Nette/nette version: 2.0.19
- Nette/nette version: 2.1.13
- Nette/application version: 2.2.10
- Nette/application version: 2.3.14
- Nette/application version: 2.4.16
- Nette/application version: 3.0.6
Referenced Sites
[1] CVE-2020-15227
https://nvd.nist.gov/vuln/detail/CVE-2020-15227
[2] github /Nette
https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
[3] Attempts to exploit the vulnerability
https://isc.sans.edu/diary/Attacks+against+the+Nette+PHP+framework+CVE202015227/31076
[4] Files downloaded due to vulnerability exploitation
https:// http://www.virustotal.com/gui/file/8325bfc699f899d0190e36ea339540ea0590aea0e1b22b8a2dcec3ff8b5763b8