CVE-2020-15227

high-risk

Published 2020-10-01

Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.

Do I need to act?

93.8% chance of exploitation in next 30 days

EPSS score — higher than 6% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.7/10 High

NETWORK / HIGH complexity

Affected Products (2)

Application

Debian Linux

Affected Vendors

Debian Nette

References (8)

Third Party Advisory https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94

Mailing List https://lists.debian.org/debian-lts-announce/2021/04/msg00003.html

Third Party Advisory https://packagist.org/packages/nette/application

Third Party Advisory https://packagist.org/packages/nette/nette

Third Party Advisory https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94

Mailing List https://lists.debian.org/debian-lts-announce/2021/04/msg00003.html

Third Party Advisory https://packagist.org/packages/nette/application

Third Party Advisory https://packagist.org/packages/nette/nette

/ 100

high-risk

Severity 26/34 · High

Exploitability 20/34 · Moderate

Exposure 7/34 · Low