7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.031 Low
EPSS
Percentile
91.1%
FuelPHP is a PHP web framework for creating web applications. FuelPHP applications contain an issue in the Request_Curl class, which may result in arbitrary code execution.
When specially crafted input is processed, arbitrary files may be deleted or arbitrary code may be executed on the application server.
Update to the latest version of the framework and address any applications that use the Request_Curl class
Update the framework to the latest version according to the information provided by the developer.
After updating, search for all controllers in the application that use the Request_Curl class. For each instance found, verify if the response from the cURL call can be trusted. If so, auto formatting can be enabled on the instance manually. If not, validation code needs to be added to validate the response received after executing the request. After succesful validation auto formatting can be enabled and set_response() can be called manually to construct the response in the correct format.
The developer has provided documentation on the safety implications of these settings.
FuelPHP applications that are created using the following versions are affected: