Kevin Bond

1 exploit Active since Jul 2023
CVE-2023-37473 WRITEUP HIGH WRITEUP
zenstruck/collection < 0.2.1 - Remote Code Execution via Callable String Injection
zenstruck/collections is a set of helpers for iterating/paginating/filtering collections. Passing _callable strings_ (ie `system`) caused the function to be executed. This would result in a limited subset of specific user input being executed as if it were code. This issue has been addressed in commit `f4b1c48820` and included in release version 0.2.1. Users are advised to upgrade. Users unable to upgrade should ensure that user input is not passed to either `EntityRepository::find()` or `query()`.
CVSS 8.5