CVE-2023-35169

PHP-IMAP is a wrapper for common IMAP communication without the need to
have the php-imap module installed / enabled. Prior to version 5.3.0, an
unsanitized attachment filename allows any unauthenticated user to leverage
a directory traversal vulnerability, which results in a remote code
execution vulnerability. Every application that stores attachments with
Attachment::save() without providing a $filename or passing unsanitized
user input is affected by this attack. An attacker can send an email with a
malicious attachment to the inbox, which gets crawled with
webklex/php-imap or webklex/laravel-imap. Prerequisite for the
vulnerability is that the script stores the attachments without providing a
$filename, or providing an unsanitized $filename, in
src/Attachment::save(string $path, string $filename = null). In this
case, where no $filename gets passed into the Attachment::save()
method, the package would use a series of unsanitized and insecure input
values from the mail as fallback. Even if a developer passes a $filename
into the Attachment::save() method, e.g. by passing the name or filename
of the mail attachment itself (from email headers), the input values never
get sanitized by the package. There is also no restriction about the file
extension (e.g. “.php”) or the contents of a file. This allows an attacker
to upload malicious code of any type and content at any location where the
underlying user has write permissions. The attacker can also overwrite
existing files and inject malicious code into files that, e.g. get executed
by the system via cron or requests. Version 5.3.0 contains a patch for this
issue.