CVE-2021-30124

moderate-risk
Published 2021-07-30

The unofficial vscode-phpmd (aka PHP Mess Detector) extension before 1.3.0 for Visual Studio Code allows remote attackers to execute arbitrary code via a crafted phpmd.command value in a workspace folder.

Do I need to act?

~
2.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 37f44f1cdd13b7a209f6af4fcb9b68522e60c12a, c462bf5c6f0160d0199855d5f8ed76be8d9beac0
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Vscode-Phpmd

Affected Vendors

Vscode-Phpmd Project

References (6)

Patch https://github.com/sandhje/vscode-phpmd/commit/c462bf5c6f0160d0199855d5f8ed76be8...
Product https://marketplace.visualstudio.com/items?itemName=ecodes.vscode-phpmd
Third Party Advisory https://vuln.ryotak.me/advisories/25
Patch https://github.com/sandhje/vscode-phpmd/commit/c462bf5c6f0160d0199855d5f8ed76be8...
Product https://marketplace.visualstudio.com/items?itemName=ecodes.vscode-phpmd
Third Party Advisory https://vuln.ryotak.me/advisories/25
43
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 6/34 · Minimal
Exposure 5/34 · Minimal