Miggo Logo
Miggo Vulnerability Database
CVE-2023-29931

CVE-2023-29931: laravel-s vulnerable to Local File Inclusion

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-29931
GHSA ID
GHSA-q2fp-jw87-86px
EPSS Score
0.55995%
CWE
CWE-552
Published
6/22/2023
Updated
12/7/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
hhxsv5/laravel-scomposer< 3.7.363.7.36

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the handleStatic function's URI validation logic. The original code checked for '/../' but not '/..' in the URI path. The patch changed 'strpos($uri, '/../')' to 'strpos($uri, '/..')', indicating the original check was insufficient to block all path traversal attempts. This function handles static file serving, and improper sanitization allows LFI via specially crafted URIs. The direct correlation between the security patch and this function's logic confirms its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

l*r*v*l-s prior to *.*.** is vuln*r**l* to Lo**l *il* In*lusion vi* `/sr*/Illumin*t*/L*r*v*l.p*p`.

Reasoning

T** vuln*r**ility st*ms *rom t** **n*l*St*ti* *un*tion's URI v*li**tion lo*i*. T** ori*in*l *o** ****k** *or '/../' *ut not '/..' in t** URI p*t*. T** p*t** ***n*** 'strpos($uri, '/../')' to 'strpos($uri, '/..')', in*i**tin* t** ori*in*l ****k w*s in