CVE-2020-15227
HIGH8.7EPSS 93.8%Potential Remote Code Execution vulnerability
Published: 10/2/2020Modified: 3/13/2026
Also known as:GHSA-8gv3-3j7f-wg94
Description
Packages nette/application versions prior to 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette versions prior to 2.0.19 and 2.1.13 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Reported by Cyku Hong from DEVCORE (https://devco.re) ### Impact Code injection, possible remote code execution. ### Patches Fixed in nette/application 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette 2.0.19 and 2.1.13
Affected packages (2)
- Debian/php-nettefrom 0, < 2.4-20160731-1+deb9u1
- Packagist/nette/application>= 2.2.0, < 2.2.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-15227
- PATCHhttps://github.com/nette/application
- WEBhttps://blog.nette.org/en/cve-2020-15227-potential-remote-code-execution-vulnerability
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/nette/application/CVE-2020-15227.yaml
- WEBhttps://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
- WEBhttps://lists.debian.org/debian-lts-announce/2021/04/msg00003.html
- WEBhttps://packagist.org/packages/nette/application
- WEBhttps://packagist.org/packages/nette/nette