This affects the package unisharp/laravel-filemanager prior to version 2.6.2. The upload()
function does not sufficiently validate the file type when uploading.
An attacker may be able to reproduce the following steps:
**Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in the here.
github.com/UniSharp/laravel-filemanager
github.com/UniSharp/laravel-filemanager/blob/master/src/Controllers/UploadController.php#L26
github.com/UniSharp/laravel-filemanager/blob/master/src/Controllers/UploadController.php%23L26
github.com/UniSharp/laravel-filemanager/commit/bd84899ce65a7f193e676dd8444e424fa50f64fa
github.com/UniSharp/laravel-filemanager/issues/1113#issuecomment-1812092975
nvd.nist.gov/vuln/detail/CVE-2021-23814
snyk.io/vuln/SNYK-PHP-UNISHARPLARAVELFILEMANAGER-1567199