czim/file-handling vulnerable to SSRF and directory traversal
Moderate severity
GitHub Reviewed
Published
Sep 17, 2024
to the GitHub Advisory Database
•
Updated Sep 27, 2024
Package
Affected versions
< 1.5.0
>= 2.0.0, < 2.3.0
Patched versions
1.5.0
2.3.0
Description
Published by the National Vulnerability Database
Sep 17, 2024
Published to the GitHub Advisory Database
Sep 17, 2024
Reviewed
Sep 17, 2024
Last updated
Sep 27, 2024
The czim/file-handling package before 1.5.0 and 2.x before 2.3.0 (used with PHP Composer) does not properly validate URLs within makeFromUrl and makeFromAny, leading to SSRF, and to directory traversal for the reading of local files.
References