GoogleOSV:GHSA-5M2H-7RF2-RPX6UniSharp Laravel Filemanager directory traversal vulnerability
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
95.5%
UniSharp laravel-filemanager (aka Laravel Filemanager) with league/flysystem version < 2.0.0 allows download?working_dir=%2F… directory traversal to read arbitrary files, as exploited in the wild in June 2022.
Since v2.6.4, UniSharp laravel-filemanager (aka Laravel Filemanager) requires users to install league/flysystem version >= 2.0.0.
References
github.com/UniSharp/laravel-filemanager
github.com/UniSharp/laravel-filemanager/commit/8a357d02e8f54ddf130961c64ff2cfc1882bbfcf
github.com/UniSharp/laravel-filemanager/issues/1150
github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1320186966
github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1825310417
nvd.nist.gov/vuln/detail/CVE-2022-40734
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
95.5%