CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-43655 – Remote Code Execution via web-accessible composer.phar
https://notcve.org/view.php?id=CVE-2023-43655
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice. • https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG https://lists.fedoraproject.org/arch • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 1CVE-2015-8371
https://notcve.org/view.php?id=CVE-2015-8371
Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected. • https://flyingmana.de/blog_en/2016/02/14/composer_cache_injection_vulnerability_cve_2015_8371.html https://github.com/FriendsOfPHP/security-advisories/blob/e26be423c5bcfdb38478d2f92d1f928c15afb561/composer/composer/CVE-2015-8371.yaml https://github.com/composer/composer https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2015-8371.yml • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1596 – tagDiv Composer < 4.0 - Reflected Cross-site Scripting
https://notcve.org/view.php?id=CVE-2023-1596
The tagDiv Composer WordPress plugin before 4.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘td_video_url’ parameter in versions up to, but not including, 4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/cada9be9-522a-4ce8-847d-c8fff2ddcc07 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-24828 – Missing input validation can lead to command execution in composer
https://notcve.org/view.php?id=CVE-2022-24828
Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report. • https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709 https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG https://www.tenable.com& • CWE-20: Improper Input Validation CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41116 – Command injection in composer on Windows
https://notcve.org/view.php?id=CVE-2021-41116
Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no workarounds for this issue. • https://github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbc0aa https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcf https://www.sonarsource.com/blog/securing-developer-tools-package-managers • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •