CVSS: 10.0EPSS: 16%CPEs: 2EXPL: 1CVE-2024-35242 – Composer vulnerable to command injection via malicious git/hg branch names
https://notcve.org/view.php?id=CVE-2024-35242
10 Jun 2024 — Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories. • https://github.com/KKkai0315/CVE-2024-35242 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-35241 – Composer vulnerable to command injection via malicious git branch name
https://notcve.org/view.php?id=CVE-2024-35241
10 Jun 2024 — Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting. Composer es un a... • https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24821 – Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php in Composer
https://notcve.org/view.php?id=CVE-2024-24821
08 Feb 2024 — Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-updat... • https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.0EPSS: 3%CPEs: 5EXPL: 0CVE-2023-43655 – Remote Code Execution via web-accessible composer.phar
https://notcve.org/view.php?id=CVE-2023-43655
29 Sep 2023 — Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is no... • https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1596 – tagDiv Composer < 4.0 - Reflected Cross-site Scripting
https://notcve.org/view.php?id=CVE-2023-1596
17 Apr 2023 — The tagDiv Composer WordPress plugin before 4.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘td_video_url’ parameter in versions up to, but not including, 4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers ... • https://wpscan.com/vulnerability/cada9be9-522a-4ce8-847d-c8fff2ddcc07 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-24828 – Missing input validation can lead to command execution in composer
https://notcve.org/view.php?id=CVE-2022-24828
13 Apr 2022 — Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagis... • https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709 • CWE-20: Improper Input Validation CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 0CVE-2021-41116 – Command injection in composer on Windows
https://notcve.org/view.php?id=CVE-2021-41116
05 Oct 2021 — Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no workarounds for this issue. • https://github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbc0aa • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 3%CPEs: 6EXPL: 1CVE-2021-29472 – Missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial in composer
https://notcve.org/view.php?id=CVE-2021-29472
27 Apr 2021 — Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and... • https://blog.sonarsource.com/php-supply-chain-attack-on-composer • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •