Skip to content

phpSysInfo allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) sequence

Moderate severity GitHub Reviewed Published May 1, 2022 to the GitHub Advisory Database • Updated Mar 30, 2023

Package

composer phpsysinfo/phpsysinfo (Composer)

Affected versions

< 3.2.5

Patched versions

3.2.5

Description

Directory traversal vulnerability in index.php in phpSysInfo prior to 3.2.5 allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) sequence and a trailing null (%00) byte in the lng parameter, which will display a different error message if the file exists.

References

Published by the National Vulnerability Database Jul 6, 2006
Published to the GitHub Advisory Database May 1, 2022
Reviewed Mar 30, 2023
Last updated Mar 30, 2023

Severity

Moderate

EPSS score

0.754%
(82nd percentile)

Weaknesses

CVE ID

CVE-2006-3360

GHSA ID

GHSA-2wxv-3g4v-p76p

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.