Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unsafe Client MIME Type Handling Can Enable Arbitrary File Upload in plank/laravel-mediable
Vulnerability Description
plank/laravel-mediable through version 6.4.0 can allow upload of a dangerous file type when an application using the package accepts or prefers a client-supplied MIME type during file upload handling. In that configuration, a remote attacker can submit a file containing executable PHP code while declaring a benign image MIME type, resulting in arbitrary file upload. If the uploaded file is stored in a web-accessible and executable location, this may lead to remote code execution. At the time of publication, no patch was available and the vendor had not responded to coordinated disclosure attempts.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
危险类型文件的不加限制上传
Vulnerability Title
Laravel-Mediable 安全漏洞
Vulnerability Description
Laravel-Mediable是Plank开源的一个Laravel媒体文件管理包。 laravel-mediable 6.4.0及之前版本存在安全漏洞,该漏洞源于应用程序在使用该包处理文件上传时接受或偏好客户端提供的MIME类型,可能导致上传包含可执行PHP代码的文件,进而导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A