Unrestricted Upload of File with Dangerous Type in unisharp/laravel-filemanager

This affects the package unisharp/laravel-filemanager prior to version 2.6.2. The upload() function does not sufficiently validate the file type when uploading.

An attacker may be able to reproduce the following steps:

• Install a package with a web Laravel application.
• Navigate to the Upload window
• Upload an image file, then capture the request
• Edit the request contents with a malicious file (webshell)
• Enter the path of file uploaded on URL
• Remote Code Execution

**Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in the here.