CVE-2020-13909

moderate-risk
Published 2020-06-07

The Ignition component before 2.0.5 for Laravel mishandles globals, _get, _post, _cookie, and _env. NOTE: in the 1.x series, versions 1.16.15 and later are unaffected as a consequence of the CVE-2021-43996 fix.

Do I need to act?

-
0.43% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Facade

References (4)

Patch https://github.com/facade/ignition/compare/2.0.4...2.0.5
Release Notes https://github.com/facade/ignition/releases/tag/2.0.5
Patch https://github.com/facade/ignition/compare/2.0.4...2.0.5
Release Notes https://github.com/facade/ignition/releases/tag/2.0.5
39
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal