Miggo Logo
Miggo Vulnerability Database
CVE-2024-42485

CVE-2024-42485: Filament Excel Vulnerable to Path Traversal Attack on Export Download Endpoint

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-42485
GHSA ID
GHSA-m3px-vjxr-fx4m
EPSS Score
0.44496%
CWE
CWE-22
Published
8/12/2024
Updated
9/16/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pxlrbt/filament-excelcomposer>= 2.0.0-alpha, < 2.3.32.3.3
pxlrbt/filament-excelcomposer< 1.1.141.1.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the route definition shown in routes/web.php where:

  1. No authentication middleware was present (added 'signed' middleware in patch)
  2. Directly used Storage::disk()->path($path) with user-controlled input
  3. Allowed unrestricted 'path' parameter via '.*' regex pattern
  4. The patch added signed URL validation and explicit path construction, confirming the original handler lacked security controls

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *xport *ownlo** rout* `/*il*m*nt-*x**l/{p*t*}` *llow** *ownlo**in* *ny *il* wit*out lo*in w**n t** w**s*rv*r *llows `../` in t** URL. ### P*t***s P*t**** wit* V*rsion v*.*.* ### *r**its T**nks to K*vin Po*l *or r*portin* t*is.

Reasoning

T** vuln*r**ility *xists in t** rout* ***inition s*own in rout*s/w**.p*p w**r*: *. No *ut**nti**tion mi**l*w*r* w*s pr*s*nt (***** 'si*n**' mi**l*w*r* in p*t**) *. *ir**tly us** Stor***::*isk()->p*t*($p*t*) wit* us*r-*ontroll** input *. *llow** unr*s