Miggo Logo
Miggo Vulnerability Database
CVE-2024-21546

CVE-2024-21546:
UniSharp Laravel Filemanager Code Injection vulnerability

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-21546
GHSA ID
GHSA-6569-3785-r3v6
EPSS Score
0.34626%
CWE
CWE-94
Published
12/18/2024
Updated
12/18/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
unisharp/laravel-filemanagercomposer< 2.9.12.9.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key gaps: 1) The explicit extension blocklist check (extensionIsNotExcutable) didn't account for special-character suffixes that could alter server interpretation. 2) No validation existed to reject extensions containing non-alphanumeric characters. The patch added both the InvalidExtensionException and a regex check in extensionIsValid(), confirming these were missing safeguards in vulnerable versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** unis**rp/l*r*v*l-*il*m*n***r ***or* *.*.* *r* vuln*r**l* to R*mot* *o** *x**ution (R**) t*rou** usin* * v*li* mim*typ* *n* ins*rtin* t** . ***r**t*r **t*r t** p*p *il* *xt*nsion. T*is *llows t** *tt**k*r to *x**ut* m*li*ious *

Reasoning

T** vuln*r**ility st*mm** *rom two k*y **ps: *) T** *xpli*it *xt*nsion *lo*klist ****k (`*xt*nsionIsNot*x*ut**l*`) *i*n't ***ount *or sp**i*l-***r**t*r su**ix*s t**t *oul* *lt*r s*rv*r int*rpr*t*tion. *) No `v*li**tion` *xist** to r*j**t *xt*nsions *