zenstruck/collections is a set of helpers for iterating/paginating/filtering collections. Passing _callable strings_ (ie `system`) caused the function to be executed. This would result in a limited subset of specific user input being executed as if it were code. This issue has been addressed in commit `f4b1c48820` and included in release version 0.2.1. Users are advised to upgrade. Users unable to upgrade should ensure that user input is not passed to either `EntityRepository::find()` or `query()`.
References
Configurations
History
21 Nov 2024, 08:11
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.5 |
References | () https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c - Patch | |
References | () https://github.com/zenstruck/collection/releases/tag/v0.2.1 - Release Notes | |
References | () https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq - Mitigation |
31 Jul 2023, 17:12
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
CPE | cpe:2.3:a:zenstruck:collection:0.2.1:*:*:*:*:*:*:* | |
References | (MISC) https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c - Patch | |
References | (MISC) https://github.com/zenstruck/collection/releases/tag/v0.2.1 - Release Notes | |
References | (MISC) https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq - Mitigation |
14 Jul 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-14 21:15
Updated : 2024-11-21 08:11
NVD link : CVE-2023-37473
Mitre link : CVE-2023-37473
CVE.ORG link : CVE-2023-37473
JSON object : View
Products Affected
zenstruck
- collection
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')