PT-2022-12299 · Spatie · Media-Library-Pro

Kelvin Yip

Published

2022-03-15

Updated

2022-03-24

CVE-2021-45040

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Spatie media-library-pro library versions 1.17.10 and earlier Spatie media-library-pro library versions 2.x through 2.1.6

Description The issue allows remote attackers to upload executable files via the "uploads route" API endpoint. This can be exploited by attackers to upload malicious files.

Recommendations For Spatie media-library-pro library versions 1.17.10 and earlier, update to a version later than 1.17.10 to resolve the issue. For Spatie media-library-pro library versions 2.x through 2.1.6, update to a version later than 2.1.6 to resolve the issue. As a temporary workaround, consider restricting access to the "uploads route" API endpoint to minimize the risk of exploitation.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2021-45040

Affected Products

Media-Library-Pro

PT-2022-12299 · Spatie · Media-Library-Pro

CVE-2021-45040

Weakness Enumeration

Related Identifiers

Affected Products

References · 6