CVE-2024-34467

Name of the Vulnerable Software and Affected Versions ThinkPHP version 8.0.3

Description The issue allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think exception.tpl. Additionally, it enables remote attackers to discover the PHPSESSION cookie because think exception.tpl provides this in an error message for a crafted URI in a GET request.

Recommendations For ThinkPHP version 8.0.3, consider disabling the think exception.tpl template until a patch is available to prevent the disclosure of the PHPSESSION cookie and mitigate the risk of XSS exploitation. Restrict access to error messages that may contain sensitive information to minimize the risk of exploitation. Avoid using crafted URIs in GET requests to the affected think exception.tpl template until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.