CVE-2023-49282

Name of the Vulnerable Software and Affected Versions msgraph-sdk-php versions prior to 1.109.1 msgraph-sdk-php versions prior to 2.0.0-RC5

Description The Microsoft Graph PHP SDK contains a vulnerability that exposes system information through the phpinfo() function. This issue affects the GetPhpInfo.php script, which can be exploited if the server is misconfigured, for example, by making the PHP application's /vendor directory web accessible. An attacker can craft an HTTP request to execute the phpinfo() method, gaining access to system information like configuration, modules, and environment variables, and potentially using compromised secrets to access additional data.

Recommendations For versions prior to 1.109.1 and 2.0.0-RC5, update to the latest version. As a temporary workaround, consider deleting the vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file. Alternatively, remove access to the /vendor directory to minimize the risk of exploitation. Disabling the phpinfo function can also serve as a temporary mitigation measure until a patch is applied.