microsoft-graph-core the Microsoft Graph Library for PHP. The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo() function from any application that could access and execute the file at vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php. The phpInfo function exposes system information. The vulnerability affects the GetPhpInfo.php script of the PHP SDK which contains a call to the phpinfo() function. This vulnerability requires a misconfiguration of the server to be present so it can be exploited. For example, making the PHP application’s /vendor directory web accessible. The combination of the vulnerability and the server misconfiguration would allow an attacker to craft an HTTP request that executes the phpinfo() method. The attacker would then be able to get access to system information like configuration, modules, and environment variables and later on use the compromised secrets to access additional data. This problem has been patched in version 2.0.2. If an immediate deployment with the updated vendor package is not available, you can perform the following temporary workarounds: delete the vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php file, remove access to the /vendor directory, or disable the phpinfo function
CVE-2023-49283
This medium-severity CVE scores 5.4 under NVD CVSS v3. EPSS exploit probability: 0.3%, top 47% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- Lower severity and no public exploit yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 5.3
- EG Score
- 5.4(medium)
- EPSS
- 80.4%
- KEV
- Not listed
Published
December 5, 2023
Last Modified
June 17, 2026
References (10)
- security-advisories@githubhttps://github.com/microsoftgraph/msgraph-beta-sdk-php/compare/2.0.0...2.0.1
- security-advisories@githubhttps://github.com/microsoftgraph/msgraph-sdk-php-core/compare/2.0.1...2.0.2
- security-advisories@githubhttps://github.com/microsoftgraph/msgraph-sdk-php-core/security/advisories/GHSA-mhhp-c3cm-2r86
- security-advisories@githubhttps://github.com/microsoftgraph/msgraph-sdk-php/compare/1.109.0...1.109.1
- security-advisories@githubhttps://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/
- af854a3a-2127-422b-91ae-364da2661108https://github.com/microsoftgraph/msgraph-beta-sdk-php/compare/2.0.0...2.0.1
- af854a3a-2127-422b-91ae-364da2661108https://github.com/microsoftgraph/msgraph-sdk-php-core/compare/2.0.1...2.0.2
- af854a3a-2127-422b-91ae-364da2661108https://github.com/microsoftgraph/msgraph-sdk-php-core/security/advisories/GHSA-mhhp-c3cm-2r86
- af854a3a-2127-422b-91ae-364da2661108https://github.com/microsoftgraph/msgraph-sdk-php/compare/1.109.0...1.109.1
- af854a3a-2127-422b-91ae-364da2661108https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/
Affected Packages
(1 across 1 ecosystem)
Packagist(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| microsoft/microsoft-graph-core | 2.0.0 ... 2.0.1 (14 versions) | 2.0.2 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 9× in last 7d / 45× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-12 05:45 UTCEPSS rescore
- 2026-07-11 08:26 UTCEPSS rescore
- 2026-07-09 19:08 UTCEPSS rescore
- 2026-07-08 15:13 UTCEPSS rescore
- 2026-07-07 13:44 UTCEPSS rescore
- 2026-07-07 13:44 UTCEPSS rescore
- 2026-07-06 16:26 UTCEPSS rescore
- 2026-07-06 16:26 UTCEPSS rescore
- 2026-07-06 02:22 UTCEPSS rescore
- 2026-07-05 02:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-02 16:59 UTCEPSS rescore
- 2026-07-01 15:05 UTCEPSS rescore
- 2026-06-30 23:21 UTCEPSS rescore
- 2026-06-30 23:21 UTCEPSS rescore
- 2026-06-29 14:05 UTCEPSS rescore
- 2026-06-28 14:06 UTCEPSS rescore
- 2026-06-28 14:06 UTCEPSS rescore
- 2026-06-28 04:55 UTCEPSS rescore
- 2026-06-27 03:07 UTCEPSS rescore
- 2026-06-27 03:04 UTCOSV refresh
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-24 14:04 UTCEPSS rescore
Show 56 moreShow fewer
- 2026-06-24 14:04 UTCEPSS rescore
- 2026-06-24 06:32 UTCNVD updateCVSS v3 → 5.3
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-21 14:55 UTCEPSS rescore
- 2026-06-21 14:55 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-15 17:47 UTCEPSS rescore
- 2026-06-14 23:16 UTCEPSS rescore
- 2026-06-13 22:59 UTCEPSS rescore
- 2026-06-13 22:59 UTCEPSS rescore
- 2026-06-12 23:11 UTCEPSS rescore
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-11 13:59 UTCEPSS rescore
- 2026-06-10 22:17 UTCEPSS rescore
- 2026-06-10 13:21 UTCEPSS rescore
- 2026-06-09 13:17 UTCOSV refresh
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-08 14:16 UTCEPSS rescore
- 2026-06-07 15:24 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 22:46 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-04 13:11 UTCEPSS rescore
- 2026-06-02 20:12 UTCEPSS rescore
- 2026-06-02 20:12 UTCEPSS rescore
- 2026-06-01 13:51 UTCEPSS rescore
- 2026-06-01 13:51 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-29 13:43 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-26 13:43 UTCEPSS rescore
- 2026-05-26 13:43 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-24 12:42 UTCEG score recompute
Related CVEs(same CWE)
Same CWE
10 shownCWE-200
Frequently asked(5)
What is CVE-2023-49283?
When was CVE-2023-49283 disclosed?
Is CVE-2023-49283 actively exploited?
What is the CVSS score of CVE-2023-49283?
How do I remediate CVE-2023-49283?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2023-49283
Is Your Infrastructure Affected by CVE-2023-49283?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.