CVE-2023-49282

Summary

CVE-2023-49282 introduces a vulnerability in the msgraph-sdk-php, the Microsoft Graph Library for PHP. The SDK inadvertently included test code that enabled the phpInfo() function, exposing system information to any application with access to the file at "vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php". This vulnerability can only be exploited if the server is misconfigured, allowing the PHP application's vendor directory to be web accessible. An attacker could then execute the phpinfo() method through a crafted HTTP request, gaining access to sensitive information such as configuration, modules, and environment variables. This issue has been resolved in versions 1.109.1 and 2.0.0-RC5. As a temporary measure, you can delete the "vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php" file, restrict access to the /vendor directory, or disable the phpinfo function.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.