CVE-2020-10963

Name of the Vulnerable Software and Affected Versions FrozenNode Laravel-Administrator versions 5.0.12 and earlier

Description The issue allows unrestricted file upload and consequently Remote Code Execution via the "admin/tips image/image/file upload" API endpoint, where an attacker can upload a GIF image with PHP content and a .php extension. The product is discontinued.

Recommendations For versions 5.0.12 and earlier, as a temporary workaround, consider disabling the admin/tips image/image/file upload endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using this endpoint with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.