CVE-2021-23814
Description
This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: 1. Install a package with a web Laravel application. 2. Navigate to the Upload window 3. Upload an image file, then capture the request 4. Edit the request contents with a malicious file (webshell) 5. Enter the path of file uploaded on URL - Remote Code Execution Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in here.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
unisharp/laravel-filemanagerPackagist | < 2.6.2 | 2.6.2 |
Affected products
2- Range: 0.1.0, 0.2.0, 0.3.0, …
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-f8x6-m9f5-ffp8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23814ghsaADVISORY
- github.com/UniSharp/laravel-filemanager/blob/master/src/Controllers/UploadController.phpghsaWEB
- github.com/UniSharp/laravel-filemanager/blob/master/src/Controllers/UploadController.php%23L26ghsaWEB
- github.com/UniSharp/laravel-filemanager/commit/bd84899ce65a7f193e676dd8444e424fa50f64faghsaWEB
- github.com/UniSharp/laravel-filemanager/issues/1113ghsaWEB
- snyk.io/vuln/SNYK-PHP-UNISHARPLARAVELFILEMANAGER-1567199ghsaWEB
- github.com/UniSharp/laravel-filemanager/issues/1113mitre
- github.com/UniSharp/laravel-filemanager/releases/tag/v2.5.1mitre
- github.com/UniSharp/laravel-filemanager/releases/tag/v2.6.2mitre
- security.snyk.io/vuln/SNYK-PHP-UNISHARPLARAVELFILEMANAGER-1567199mitre
News mentions
0No linked articles in our index yet.