Unrestricted Upload of File with Dangerous Type in jsdecena/laracom
Description
Unrestricted file upload in Laracom before v2.0.9 allows attackers to upload arbitrary files, potentially leading to remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unrestricted file upload in Laracom before v2.0.9 allows attackers to upload arbitrary files, potentially leading to remote code execution.
Vulnerability
The Laracom e-commerce application [2] (versions prior to v2.0.9) lacks validation on the image and cover file upload fields in the product creation form, as described in CVE-2022-0472 [1]. The UploadRequest class did not enforce file type or size restrictions, allowing any file to be uploaded. The fix adds image|mimes:jpeg,png,jpg,gif,svg|max:2048 rules [3].
Exploitation
An attacker with access to the product creation functionality can upload a malicious file (e.g., a PHP web shell) by sending a crafted multipart request to the product upload endpoint. No authentication bypass is required if the attacker has seller or admin privileges. The uploaded file is stored in the public directory and can be accessed directly.
Impact
Successful exploitation allows the attacker to execute arbitrary code on the server, leading to full compromise of the application and underlying system. This includes data theft, defacement, or further lateral movement.
Mitigation
Upgrade to Laracom v2.0.9 or later, which includes the commit [3] that adds file type and size validation. Alternatively, apply the patch manually from the commit. No workaround is available for older versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jsdecena/laracomPackagist | < 2.0.9 | 2.0.9 |
Affected products
2- jsdecena/jsdecena/laracomv5Range: unspecified
Patches
1256026193ce9Fix vulnerability report from hunter.dev
1 file changed · +3 −1
project/app/Shop/Products/Requests/UpdateProductRequest.php+3 −1 modified@@ -20,7 +20,9 @@ public function rules() 'quantity' => ['required', 'integer', 'min:0'], 'price' => ['required', 'numeric', 'min:0'], 'sale_price' => ['nullable', 'numeric'], - 'weight' => ['nullable', 'numeric', 'min:0'] + 'weight' => ['nullable', 'numeric', 'min:0'], + 'image' => 'image|mimes:jpeg,png,jpg,gif,svg|max:2048', + 'cover' => 'image|mimes:jpeg,png,jpg,gif,svg|max:2048', ]; } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-5q5w-mqp6-g2ghghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0472ghsaADVISORY
- github.com/jsdecena/laracom/commit/256026193ce994dc4c1365e02f414d8a0cd77ae8ghsax_refsource_MISCWEB
- huntr.dev/bounties/cb5b8563-15cf-408c-9f79-4871ea0a8713ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.