CVE-2021-23814

CVE-2021-23814

This affects the package unisharp/laravel-filemanager from 0.0.0.
The upload() function does not sufficiently validate the file type when uploading.

An attacker may be able to reproduce the following steps:

– Install a package with a web Laravel application.
– Navigate to the Upload window
– Upload an image file, then capture the request
– Edit the request contents with a malicious file (webshell)
– Enter the path of file uploaded on URL – Remote Code Execution

**Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in the [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories).

Source: CVE-2021-23814

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다