Arbitrary PHP Code Execution Vulnerability in Fenom 2.12.1 and Earlier

CVE-2021-46433 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

In fenom 2.12.1 and before, there is a way in fenom/src/Fenom/Template.php function getTemplateCode()to bypass sandbox to execute arbitrary PHP code when disable_native_funcs is true.

Learn more about our Web Application Penetration Testing UK.