CVE-2023-37473

CVSS 3.1 Score 8.8 of 10 (high)

Attack Complexity low
Confidentiality high
Integrity high
Availability high
Privileges Required low
Scope unchanged

Details

Published Jul 14, 2023
Updated: Jul 31, 2023
CWE ID 74

Summary

CVE-2023-37473 affects the zenstruck/collections library, which provides helpers for iterating, paginating, and filtering collections. A vulnerability was discovered where passing certain callable strings, such as `system`, caused the function to be executed. This issue results in a limited subset of user input being treated as code. The vulnerability has been addressed in commit `f4b1c48820` and is included in release version 0.2.1. It is recommended that users upgrade as soon as possible. Those unable to upgrade should ensure that user input is not passed to `EntityRepository::find()` or `query()` functions.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share