An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function
The vulnerability classified as CWE-94 (code injection) exists in the routecheck function of ThinkPHP v.5.1 framework. An attacker can provide specially crafted input data that is interpreted and executed as server-side code. The absence of data validation or filtering mechanisms in this function allows for injection and execution of arbitrary PHP code.
An attacker can gain full control over the application server — obtain access to sensitive data, modify application content, and potentially perform further actions in the infrastructure (lateral movement). The CVSS vector indicates high confidentiality, integrity, and availability impact on resources.
Patches available from the vendor should be applied in accordance with references. Urgent update of the ThinkPHP framework to a version not containing the described vulnerability is recommended, and network access to applications based on this version should be restricted until the patch is implemented.
ThinkPHP v.5.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThinkphp
APPThinkphp5.1.0
Related vulnerabilities
ThinkPHP 5.0.23 — zdalne wykonanie kodu przez parametr routingu (RCE)
RCE w funkcji read sterownika szablonów ThinkPHP 5.0.24
RCE w ThinkPHP 3 — wykonanie kodu przez komponent index.php
ThinkPHP: RCE poprzez deserializację w Index.php (CVE-2024-48112)
Krytyczna podatność deserialization RCE w ThinkPHP v6.1.3–v8.0.4