CVE-2024-21546

CRITICAL

Unisharp Laravel-filemanager < 2.9.1 - Code Injection

Title source: rule

Description

Versions of the package unisharp/laravel-filemanager before 2.9.1 are vulnerable to Remote Code Execution (RCE) through using a valid mimetype and inserting the . character after the php file extension. This allows the attacker to execute malicious code.

Exploits (1)

nomisec WORKING POC 4 stars

by ajdumanhug · poc

https://github.com/ajdumanhug/CVE-2024-21546

View Code ZIP pw:eip

References (3)

[Various Sources] https://gist.github.com/ImHades101/338a06816ef97262ba632af9c78b78ca

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-PHP-UNISHARPLARAVELFILEMANAGER-7210316

[Patch] https://github.com/UniSharp/laravel-filemanager/commit/8170760c0ae316d77b9363cd4c76ab68d3f63f0b

Scores

CVSS v3 9.8

EPSS 0.0328

EPSS Percentile 87.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

n/a/unisharp/laravel-filemanager < 2.9.1

unisharp/laravel-filemanager 0 - 2.9.1Packagist

Published Dec 18, 2024

Tracked Since Feb 18, 2026