Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Path traversal vulnerability in EasyPHP

Posted date 14/11/2024
Identificador
INCIBE-2024-0560
Importance
3 - Medium
Affected Resources

EasyPHP web server, version 14.1.

Description

INCIBE has coordinated the publication of 1 medium severity vulnerability affecting the EasyPHP web server in its version 14.1, a PHP development environment, which has been discovered by Rafael Pedrero.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-11215: 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | CWE-22.
Solution

There is no reported solution at this time.

Detail

CVE-2024-11215: absolute path traversal (incorrect restriction of a path to a restricted directory) vulnerability in the EasyPHP web server, affecting version 14.1. This vulnerability could allow remote users to bypass SecurityManager restrictions and retrieve any file stored on the server by setting only consecutive strings ‘/...%5c’.

References list
EasyPHP website
Etiquetas