VYPR
Moderate severityOSV Advisory· Published Dec 17, 2021· Updated Jun 17, 2025

CVE-2021-23814

CVE-2021-23814

Description

This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: 1. Install a package with a web Laravel application. 2. Navigate to the Upload window 3. Upload an image file, then capture the request 4. Edit the request contents with a malicious file (webshell) 5. Enter the path of file uploaded on URL - Remote Code Execution Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in here.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
unisharp/laravel-filemanagerPackagist
< 2.6.22.6.2

Affected products

2

Patches

Vulnerability mechanics

References

11

News mentions

0

No linked articles in our index yet.