Local File Inclusion Vulnerability in ThinkPHP Framework (CVE-2020-15227)

Local File Inclusion Vulnerability in ThinkPHP Framework (CVE-2020-15227)

CVE-2022-47945 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.

Learn more about our Web Application Penetration Testing UK.