Miggo Logo

CVE-2021-43676: Path manipulation in matyhtf/framework

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.68152%
Published
12/4/2021
Updated
2/5/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
matyhtf/frameworkcomposer< 3.0.63.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a path traversal (CWE-22) in Smarty.class.php. While the exact commit diff is unavailable, Smarty template engines commonly handle template paths in methods like fetch(). The advisory specifies the vulnerability was fixed in v3.0.6, suggesting improper path sanitization in template handling. The fetch() method is a primary candidate as it's responsible for template rendering and would require path validation to prevent directory traversal. High confidence comes from the vulnerability context and standard Smarty implementation patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

m*ty*t* *r*m*work v*.*.* is *****t** *y * p*t* m*nipul*tion vuln*r**ility in Sm*rty.*l*ss.p*p. T** issu* w*s *ix** in v*rsion *.*.*.

Reasoning

T** vuln*r**ility is * p*t* tr*v*rs*l (*W*-**) in `Sm*rty.*l*ss.p*p`. W*il* t** *x**t *ommit *i** is un*v*il**l*, Sm*rty t*mpl*t* *n*in*s *ommonly **n*l* t*mpl*t* p*t*s in m*t*o*s lik* `**t**()`. T** **visory sp**i*i*s t** vuln*r**ility w*s *ix** in