Livewire Fixes Validation Vulnerability in Laravel
CVE-2024-47823

9.8CRITICAL

Key Information:

Vendor: Livewire
Status: Livewire
Vendor: CVE Published:; 8 October 2024

What is CVE-2024-47823?

The Livewire framework for Laravel contains a vulnerability where file extensions of uploaded files are determined based on their MIME types, without proper validation of the actual file extension. This flaw allows an attacker to exploit the system by uploading a malicious file that appears benign (such as an image) but is actually a PHP file, triggering potential remote code execution. This security issue arises when the filename is derived from the original file name, and if the files are stored in a publicly accessible directory on the server where PHP execution is enabled. The issue has been resolved in versions 2.12.7 and 3.5.2; users are urged to update their systems immediately.

Affected Version(s)

livewire < 3.5.2

References

https://github.com/livewire/livewire/security/advisories/...

x_refsource_CONFIRM

https://github.com/livewire/livewire/commit/70503b79f5db7...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 8, 2024
Vulnerability Reserved
Oct 3, 2024