GHSA-7mc6-x925-7qvx: 
PHP vulnerability analysis and mitigation

The Microsoft Graph Beta PHP SDK contained a security vulnerability (GHSA-7mc6-x925-7qvx) in versions prior to 2.0.1, discovered and disclosed on December 5, 2023. The vulnerability existed in test code that exposed the phpinfo() function through the file vendor/microsoft/microsoft-graph-beta/tests/GetPhpInfo.php, which could reveal sensitive system information (GitHub Advisory).

The vulnerability has a CVSS v3.1 base score of 5.3 (Moderate) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The issue stems from a test file containing the phpinfo() function call, which could be accessed and executed if the PHP application's /vendor directory was web-accessible. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (GitHub Advisory).

If exploited, an attacker could access sensitive system information including configuration details, modules, and environment variables. This information could potentially be used to gain access to additional data. The vulnerability requires a server misconfiguration (web-accessible /vendor directory) to be exploitable (GitHub Advisory).

The vulnerability has been patched in version 2.0.1 of the Microsoft Graph Beta PHP SDK. For users unable to update immediately, temporary workarounds include: deleting the vendor/microsoft/microsoft-graph-beta/tests/GetPhpInfo.php file, removing access to the /vendor directory, or disabling the phpinfo function (GitHub Advisory).