CVE-2024-34467: ThinkPHP allows remote attackers to discover the PHPSESSION cookie
(updated )
ThinkPHP 8.0.3 allows remote attackers to discover the PHPSESSION cookie because think_exception.tpl (aka the debug error output source code) provides this in an error message for a crafted URI in a GET request.
References
- github.com/advisories/GHSA-969f-v7jv-pgj3
- github.com/top-think/framework
- github.com/top-think/framework/commit/403358cd3e510e2fdab63f951930bdd093314eee
- github.com/top-think/framework/commit/57d1950a1844ef8d3098ea290032aeb92e2e32c3
- github.com/top-think/framework/commit/d3904e51e279c3b72ee206192aeccf9b1cffb534
- github.com/top-think/framework/issues/2996
- nvd.nist.gov/vuln/detail/CVE-2024-34467
Detect and mitigate CVE-2024-34467 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →