CVE-2024-4200726.07.2024, 19:15SPX (aka php-spx) through 0.4.15 allows SPX_UI_URI Directory Traversal to read arbitrary files.Path TraversalEnginsightProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVectorNISTNIST5.8 MEDIUMNETWORKLOWNONECVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:NmitreCNA5.8 MEDIUMNETWORKLOWNONECVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:C/UI:NCISA-ADPADP------CVEADP------Base ScoreCVSS 3.xEPSS ScorePercentile: 72%Common Weakness EnumerationCWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Referenceshttps://github.com/NoiseByNorthwest/php-spx/issues/251https://github.com/NoiseByNorthwest/php-spx/issues/251https://www.vicarius.io/vsociety/posts/journey-to-discovery-and-exploitation-of-path-traversal-in-php-spx-cve-2024-42007