U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

Vulnerability Change Records for CVE-2021-23814

Change History

CVE Modified by Snyk 12/17/2021 4:15:07 PM

Action Type Old Value New Value
Changed Description 
This affects the package unisharp/laravel-filemanager from 0.0.0.
 The upload() function does not sufficiently validate the file type when uploading.

An attacker may be able to reproduce the following steps:

- Install a package with a web Laravel application.
- Navigate to the Upload window
- Upload an image file, then capture the request
- Edit the request contents with a malicious file (webshell)
- Enter the path of file uploaded on URL - Remote Code Execution


**Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in the [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories).

This affects the package unisharp/laravel-filemanager from 0.0.0. The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: - Install a package with a web Laravel application. - Navigate to the Upload window - Upload an image file, then capture the request - Edit the request contents with a malicious file (webshell) - Enter the path of file uploaded on URL - Remote Code Execution **Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in the [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories).