CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48112
https://notcve.org/view.php?id=CVE-2024-48112
30 Oct 2024 — A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. Una vulnerabilidad de deserialización en el componente \controller\Index.php de Thinkphp v6.1.3 a v8.0.4 permite a los atacantes ejecutar código arbitrario. • https://github.com/nn0nkey/nn0nkey/blob/main/Thinkphp/CVE-2024-48112.md • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-44902
https://notcve.org/view.php?id=CVE-2024-44902
09 Sep 2024 — A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. • https://github.com/fru1ts/CVE-2024-44902 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34467
https://notcve.org/view.php?id=CVE-2024-34467
04 May 2024 — ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think_exception.tpl. ThinkPHP 8.0.3 permite a atacantes remotos descubrir la cookie PHPSESSION porque think_exception.tpl (también conocido como código fuente de salida de error de depuración) proporciona esto en un mensaje de error para un URI manipulado en una solicitud GET. • https://github.com/top-think/framework/issues/2996 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2022-45982
https://notcve.org/view.php?id=CVE-2022-45982
08 Feb 2023 — thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload. • https://gist.github.com/Dar1in9s/aa87df679057db3bbdade360d77f8cca • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 7%CPEs: 1EXPL: 1CVE-2022-47945
https://notcve.org/view.php?id=CVE-2022-47945
23 Dec 2022 — ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php. • https://github.com/top-think/framework/commit/c4acb8b4001b98a0078eda25840d33e295a7f099 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2022-44289
https://notcve.org/view.php?id=CVE-2022-44289
06 Dec 2022 — Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell. Thinkphp 5.1.41 y 5.0.24 tiene un error de lógica de código que provoca la carga del archivo getshell. • https://github.com/top-think/framework/issues/2772 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-38352
https://notcve.org/view.php?id=CVE-2022-38352
15 Sep 2022 — ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload. Se ha detectado que ThinkPHP versión v6.0.13, contiene una vulnerabilidad de deserialización por medio del componente League\Flysystem\Cached\Storage\Psr6Cache. Esta vulnerabilidad permite a atacantes ejecutar código arbitrario por medio de una carga útil diseñada • https://github.com/top-think/framework/issues/2749 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-33107
https://notcve.org/view.php?id=CVE-2022-33107
29 Jun 2022 — ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload. Se ha detectado que ThinkPHP versión v6.0.12, contiene una vulnerabilidad de deserialización por medio del componente vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. Esta vulnerabilidad permite a atacantes ejecutar código arbitrario por medio... • https://github.com/top-think/framework/issues/2717 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23592 – Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2021-23592
06 May 2022 — The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class. El paquete topthink/framework versiones anteriores a 6.0.12, es vulnerable a una Deserialización de Datos No Confiables debido al método no seguro unserialize en la clase Driver • https://github.com/top-think/framework/commit/d3b5aeae94bc71bae97977d05cd12c3e0550905c • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2022-25481
https://notcve.org/view.php?id=CVE-2022-25481
20 Mar 2022 — ThinkPHP Framework v5.0.24 was discovered to be configured without the PATHINFO parameter. This allows attackers to access all system environment parameters from index.php. NOTE: this is disputed by a third party because system environment exposure is an intended feature of the debugging mode. Se ha detectado que ThinkPHP Framework versión v5.0.24, estaba configurado sin el parámetro PATHINFO. Esto permite a atacantes acceder a todos los parámetros del entorno del sistema desde el archivo index.php • https://github.com/Lyther/VulnDiscover/blob/master/Web/ThinkPHP_InfoLeak.md • CWE-284: Improper Access Control CWE-668: Exposure of Resource to Wrong Sphere •