Miggo Logo

CVE-2020-12479: TeamPass PHP arbitrary file include vulnerability

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.88004%
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
nilsteampassnet/teampasscomposer<= 2.1.27.36

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability chain involves two key components:

  1. In users.queries.php, the 'newValue' parameter from the POST request is stored without validation, enabling attackers to set malicious paths.
  2. In core.php, the require_once statement directly uses the tainted $_SESSION['user_language'] value to include files, enabling arbitrary PHP execution. The lack of input validation in users.queries.php and the unsafe file inclusion in core.php together create the path traversal vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**mP*ss *.*.**.** *llows *ny *ut**nti**t** T**mP*ss us*r to tri***r * P*P *il* in*lu** vuln*r**ility vi* * *r**t** *TTP r*qu*st wit* sour**s/us*rs.qu*ri*s.p*p n*wV*lu* *ir**tory tr*v*rs*l.

Reasoning

T** vuln*r**ility ***in involv*s two k*y *ompon*nts: *. In us*rs.qu*ri*s.p*p, t** 'n*wV*lu*' p*r*m*t*r *rom t** POST r*qu*st is stor** wit*out v*li**tion, *n**lin* *tt**k*rs to s*t m*li*ious p*t*s. *. In *or*.p*p, t** r*quir*_on** st*t*m*nt *ir**tly