dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php.
The vulnerability classified as CWE-98 (PHP Remote File Inclusion) consists of improper file name validation used in the include/require instruction in the VersionManager.php file. An attacker can provide a crafted value pointing to an external or local resource, resulting in the inclusion and execution of untrusted PHP code. Due to the network vector (AV:N) and lack of permission requirements (PR:N) and user interaction (UI:N), the attack can be performed remotely by an unauthenticated attacker.
An attacker can achieve complete server compromise through remote code execution (RCE), as well as gain access to sensitive data, modify it, or cause application unavailability.
Patches available from the vendor should be applied in accordance with the references. It is recommended to monitor the project repository (https://github.com/jqhph/dcat-admin) to obtain the updated version and implement the patch immediately. Until the patch is applied, it is recommended to restrict network access to the Dcat Admin panel using a firewall or infrastructure-level authentication mechanisms.
Dcat Admin version 2.2.3-beta and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDcatadmin Dcat Admin
APPDcatadmin≤ 1.7.92.0.0 – 2.2.3
Related vulnerabilities
A vulnerability was found in Dcat-Admin 2.2.1-beta. It has been rated as problematic. This issue affects some ...
Dcat Admin v2.2.0-beta contains a cross-site scripting (XSS) vulnerability in /admin/articles/create.
Dcat-Admin v2.2.0-beta and v2.2.2-beta contains a Cross-Site Scripting (XSS) vulnerability via /admin/auth/men...
Cross Site Scripting vulnerability in dcat-admin v.2.1.3 and before allows a remote attacker to execute arbitr...
A stored cross-site scripting (XSS) vulnerability in Dcat-Admin v2.1.3-beta allows attackers to execute arbitr...