Arbitrary File Upload
CVE-2021-23814

6.7MEDIUM

Key Information:

Vendor: Unisharp
Status: Unisharp/laravel-filemanager
Vendor: CVE Published:; 17 December 2021

What is CVE-2021-23814?

This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading.

An attacker may be able to reproduce the following steps:

Install a package with a web Laravel application.
Navigate to the Upload window
Upload an image file, then capture the request
Edit the request contents with a malicious file (webshell)
Enter the path of file uploaded on URL - Remote Code Execution

Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in here.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

unisharp/laravel-filemanager 0 < 2.6.2

References

https://security.snyk.io/vuln/SNYK-PHP-UNISHARPLARAVELFIL...

https://github.com/UniSharp/laravel-filemanager/blob/mast...

https://github.com/UniSharp/laravel-filemanager/releases/...

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 17, 2021
Vulnerability Reserved
Jan 8, 2021

Credit

Huy Nguyen

JSON

Unisharp

What is CVE-2021-23814?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.