CVE-2022-40734

Name of the Vulnerable Software and Affected Versions UniSharp laravel-filemanager (aka Laravel Filemanager) versions prior to 2.6.4 league/flysystem versions prior to 2.0.0

Description The issue allows download?working dir=%2F.. directory traversal to read arbitrary files. This has been exploited in the wild in June 2022. The problem is related to the use of league/flysystem before version 2.0.0.

Recommendations For UniSharp laravel-filemanager (aka Laravel Filemanager) versions prior to 2.6.4, update to version 2.6.4 or later, which requires the installation of league/flysystem version 2.0.0 or later. For league/flysystem versions prior to 2.0.0, update to version 2.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the download endpoint with the working dir parameter to minimize the risk of exploitation.