CVE-2022-47945: Path Traversal
First published: Fri Dec 23 2022(Updated: )
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (`lang_switch_on=true`). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including `pearcmd.php`.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ThinkPHP ThinkPHP | <6.0.14 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-47945?
CVE-2022-47945 is a vulnerability in the ThinkPHP Framework before version 6.0.14 that allows for local file inclusion and arbitrary command execution.
How severe is CVE-2022-47945?
CVE-2022-47945 has a severity rating of 9.8 (critical).
How does CVE-2022-47945 work?
CVE-2022-47945 can be exploited by an unauthenticated remote attacker by using the lang parameter with the language pack feature enabled, allowing them to execute arbitrary operating system commands.
Which software versions are affected by CVE-2022-47945?
ThinkPHP Framework versions before 6.0.14 are affected by CVE-2022-47945.
How can CVE-2022-47945 be fixed?
To fix CVE-2022-47945, it is recommended to update to ThinkPHP Framework version 6.0.14 or higher.
- collector/github-advisory-latest
- alias/GHSA-p4qr-vq2g-22wp
- alias/CVE-2022-47945
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/event
- agent/author
- agent/type
- agent/description
- agent/remedy
- agent/first-publish-date
- agent/severity
- agent/tags
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- package-manager/composer
- vendor/thinkphp
- canonical/thinkphp thinkphp