Johnstevenson

**Name of the Vulnerable Software and Affected Versions** Composer-Setup for Windows versions prior to 6.0.0 **Description** The issue allows a local attacker to exploit several scenarios on a shared developer's computer. A local regular user may modify the existing `C:ProgramDataComposerSetupbincomposer.bat` to achieve elevated command execution when composer is run by an administrator. Additionally, a local regular user may create a specially crafted dll in the `C:ProgramDataComposerSetupbin` folder to gain Local System privileges. The directory of the php.exe selected by the user is added to the system path without checking if it is admin secured, as per Microsoft guidelines. **Recommendations** For versions prior to 6.0.0, update to version 6.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `C:ProgramDataComposerSetupbin` folder to prevent local regular users from modifying the `composer.bat` file or creating malicious dlls. Also, ensure that the directory of the php.exe selected by the user is properly secured according to Microsoft guidelines.