An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component
The attacker sends a crafted HTTP request to the index.php component of an application based on ThinkPHP 3.2.5. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) and indicates the possibility of code injection and execution on the server side. The exploit requires no authentication, user interaction, or special network conditions, making it trivial to execute remotely.
Attackers can gain full control of the server — read, modify or delete data, execute arbitrary system commands, and potentially gain access to other resources on the internal network.
Apply patches available from the vendor according to references. Due to lack of active support for the ThinkPHP 3.x branch, urgent migration to a currently supported version of the framework is recommended.
ThinkPHP version 3.2.5 (thinkphp3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThinkphp
APPThinkphp3.2.5
Related vulnerabilities
ThinkPHP 5.0.23 — zdalne wykonanie kodu przez parametr routingu (RCE)
RCE w funkcji read sterownika szablonów ThinkPHP 5.0.24
RCE w ThinkPHP 5.1 przez funkcję routecheck
ThinkPHP: RCE poprzez deserializację w Index.php (CVE-2024-48112)
Krytyczna podatność deserialization RCE w ThinkPHP v6.1.3–v8.0.4