CVE-2021-23814

Name of the Vulnerable Software and Affected Versions: unisharp/laravel-filemanager versions prior to 2.6.2

Description: The issue arises from insufficient validation of file types during the upload process, specifically in the upload() function. This allows an attacker to potentially upload malicious files, such as webshells, by capturing and editing the upload request. The exploitation steps include installing the package with a web Laravel application, navigating to the upload window, uploading an image file, capturing the request, editing it to include a malicious file, and then accessing the uploaded file's path to achieve remote code execution. Prevention can be achieved by using a whitelist in the config file (lfm.php), with documentation available.

Recommendations: For versions prior to 2.6.2, update to version 2.6.2 or later to resolve the issue. As a temporary workaround, consider using a whitelist in the config file (lfm.php) to prevent bad extensions until a patch is applied. Restrict access to the upload functionality to minimize the risk of exploitation.