CVE-2021-23814
This affects the package unisharp/laravel-filemanager from 0.0.0.
The upload() function does not sufficiently validate the file type when uploading.
An attacker may be able to reproduce the following steps:
– Install a package with a web Laravel application.
– Navigate to the Upload window
– Upload an image file, then capture the request
– Edit the request contents with a malicious file (webshell)
– Enter the path of file uploaded on URL – Remote Code Execution
**Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in the [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories).
Source: CVE-2021-23814