CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2022-45982
https://notcve.org/view.php?id=CVE-2022-45982
08 Feb 2023 — thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload. • https://gist.github.com/Dar1in9s/aa87df679057db3bbdade360d77f8cca • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 7%CPEs: 1EXPL: 1CVE-2022-47945
https://notcve.org/view.php?id=CVE-2022-47945
23 Dec 2022 — ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php. • https://github.com/top-think/framework/commit/c4acb8b4001b98a0078eda25840d33e295a7f099 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-38352
https://notcve.org/view.php?id=CVE-2022-38352
15 Sep 2022 — ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload. Se ha detectado que ThinkPHP versión v6.0.13, contiene una vulnerabilidad de deserialización por medio del componente League\Flysystem\Cached\Storage\Psr6Cache. Esta vulnerabilidad permite a atacantes ejecutar código arbitrario por medio de una carga útil diseñada • https://github.com/top-think/framework/issues/2749 • CWE-502: Deserialization of Untrusted Data •