CVE-2020-15145

Name of the Vulnerable Software and Affected Versions Composer-Setup for Windows versions prior to 6.0.0

Description The issue allows a local attacker to exploit several scenarios on a shared developer's computer. A local regular user may modify the existing C:ProgramDataComposerSetupbincomposer.bat to achieve elevated command execution when composer is run by an administrator. Additionally, a local regular user may create a specially crafted dll in the C:ProgramDataComposerSetupbin folder to gain Local System privileges. The directory of the php.exe selected by the user is added to the system path without checking if it is admin secured, as per Microsoft guidelines.

Recommendations For versions prior to 6.0.0, update to version 6.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the C:ProgramDataComposerSetupbin folder to prevent local regular users from modifying the composer.bat file or creating malicious dlls. Also, ensure that the directory of the php.exe selected by the user is properly secured according to Microsoft guidelines.