Packagist (Composer) package
facade/ignition
pkg:composer/facade/ignition
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-43996 | — | < 1.16.15 | 1.16.15 | Nov 17, 2021 | The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can lead to incorrect access control. | ||
| CVE-2021-3129 | — | KEV | >= 2.5.0, < 2.5.2 | 2.5.2 | Jan 12, 2021 | Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. | |
| CVE-2020-13909 | — | >= 2.0.0, < 2.0.5 | 2.0.5 | Jun 7, 2020 | The Ignition component before 2.0.5 for Laravel mishandles globals, _get, _post, _cookie, and _env. NOTE: in the 1.x series, versions 1.16.15 and later are unaffected as a consequence of the CVE-2021-43996 fix. |
- CVE-2021-43996Nov 17, 2021affected < 1.16.15fixed 1.16.15
The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can lead to incorrect access control.
- affected >= 2.5.0, < 2.5.2fixed 2.5.2
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
- CVE-2020-13909Jun 7, 2020affected >= 2.0.0, < 2.0.5fixed 2.0.5
The Ignition component before 2.0.5 for Laravel mishandles globals, _get, _post, _cookie, and _env. NOTE: in the 1.x series, versions 1.16.15 and later are unaffected as a consequence of the CVE-2021-43996 fix.