PT-2021-10431 · Thinkphp · Thinkphp

Feizi76

Published

2021-09-28

Updated

2021-10-06

CVE-2020-20120

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: ThinkPHP versions 3.2.3 and below

Description: The issue is a SQL injection vulnerability. It occurs when the array is not passed to the where and query methods.

Recommendations: For ThinkPHP versions 3.2.3 and below, update to a version above 3.2.3 to resolve the issue. As a temporary workaround, consider passing arrays to the where and query methods to prevent SQL injection. Restrict access to these methods to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-20120

GHSA-M7H5-FJJQ-559F

Affected Products

Thinkphp

PT-2021-10431 · Thinkphp · Thinkphp

CVE-2020-20120

Weakness Enumeration

Related Identifiers

Affected Products

References · 6