CVE-2022-0557 OS Command Injection in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0557 OS Command Injection in Packagist microweber/microweber prior to 1.2.11.

It has been fixed in version 1.2.12. In older versions, attackers could inject an arbitrary command as GET or POST request parameter by injecting an image URL in the request. For example, the following command injection scenario would be possible in Packagist: img src="../../../../../Remote/Command/Injection/"> In addition, the AUTH_SESSION_KEY variable would be accessible in the request by injecting a variable named AUTH_SESSION_KEY.
The PRE_INSTALL_COOKIE variable would be accessible in the request by injecting a variable named PRE_INSTALL_COOKIE. The POST_INSTALL_COOKIE variable would be accessible in the request by injecting a variable named POST_INSTALL_COOKIE.

Security Risk of Packagist Command Injection

A command injection vulnerability was found in Packagist. Packagist is a package manager for PHP and its usage in web applications is widespread, ranging from websites to web frameworks. Command injection vulnerabilities are often used as an attack vector in order to inject commands into the system that would otherwise be unavailable.
This vulnerability has been fixed with version 1.2.12 of Packagist.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe