6.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-23814

GHSA ID

GHSA-f8x6-m9f5-ffp8

EPSS Score

0.83247%

CWE

CWE-434

Published

1/6/2022

Updated

4/22/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-23814

CVE-2021-23814:
Unrestricted Upload of File with Dangerous Type in unisharp/laravel-filemanager

This affects the package unisharp/laravel-filemanager prior to version 2.6.2. The upload() function does not sufficiently validate the file type when uploading.

An attacker may be able to reproduce the following steps:

Install a package with a web Laravel application.
Navigate to the Upload window
Upload an image file, then capture the request
Edit the request contents with a malicious file (webshell)
Enter the path of file uploaded on URL
Remote Code Execution

**Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in the here.

(GitHub Advisory)

6.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-23814

GHSA ID

GHSA-f8x6-m9f5-ffp8

EPSS Score

0.83247%

CWE

CWE-434

Published

1/6/2022

Updated

4/22/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
unisharp/laravel-filemanager	composer	< 2.6.2	2.6.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from insufficient file type validation in two key functions:

LfmPath::validateUploadedFile orchestrated validation but omitted extension checks prior to the patch.
LfmUploadValidator::isNotExcutable relied solely on MIME type blocklisting, which is trivially bypassable. The patch added a separate extension check (extensionIsNotExcutable) and renamed the original method to clarify its scope. The presence of these pre-patch functions allowed unrestricted uploads of executable files via MIME spoofing or direct dangerous extensions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** unis**rp/l*r*v*l-*il*m*n***r prior to v*rsion *.*.*. T** `uplo**()` *un*tion *o*s not su**i*i*ntly v*li**t* t** *il* typ* w**n uplo**in*. *n *tt**k*r m*y ** **l* to r*pro*u** t** *ollowin* st*ps: - Inst*ll * p**k*** wit* * w

Reasoning

T** vuln*r**ility st*mm** *rom insu**i*i*nt *il* typ* v*li**tion in two k*y *un*tions: *. **L*mP*t*::v*li**t*Uplo*****il*** or***str*t** v*li**tion *ut omitt** *xt*nsion ****ks prior to t** p*t**. *. **L*mUplo**V*li**tor::isNot*x*ut**l*** r*li** sol*

6.7

Basic Information

Concerned about an active attack path?

CVE-2021-23814: Unrestricted Upload of File with Dangerous Type in unisharp/laravel-filemanager

6.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-23814:
Unrestricted Upload of File with Dangerous Type in unisharp/laravel-filemanager

Vulnerability Intelligence
Miggo AI