CVE-2023-49283

Name of the Vulnerable Software and Affected Versions microsoft-graph-core versions prior to 2.0.2

Description The Microsoft Graph Beta PHP SDK contains test code that enables the use of the phpInfo() function from any application that can access and execute the file at vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php. This function exposes system information. The vulnerability requires a server misconfiguration to be present, such as making the PHP application's /vendor directory web accessible. An attacker can craft an HTTP request to execute the phpinfo() method, gaining access to system information like configuration, modules, and environment variables, which can be used to access additional data.

Recommendations For versions prior to 2.0.2, update to version 2.0.2 to resolve the issue. As a temporary workaround, consider deleting the vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php file. Alternatively, remove access to the /vendor directory to minimize the risk of exploitation. Disabling the phpinfo function can also serve as a temporary mitigation measure until the update is applied.