CVE-2023-35169

Name of the Vulnerable Software and Affected Versions PHP-IMAP versions prior to 5.3.0

Description An unsanitized attachment filename allows any unauthenticated user to leverage a directory traversal vulnerability, which results in a remote code execution vulnerability. Every application that stores attachments with Attachment::save() without providing a $filename or passing unsanitized user input is affected by this attack. An attacker can send an email with a malicious attachment to the inbox, which gets crawled with webklex/php-imap or webklex/laravel-imap. The attacker can upload malicious code of any type and content at any location where the underlying user has write permissions. The attacker can also overwrite existing files and inject malicious code into files that, e.g., get executed by the system via cron or requests.

Recommendations For versions prior to 5.3.0, update to version 5.3.0 or later to resolve the issue. As a temporary workaround, consider sanitizing the $filename parameter in the Attachment::save() method to prevent directory traversal attacks. Restrict access to the Attachment::save() method to minimize the risk of exploitation. Avoid using the Attachment::save() method without providing a sanitized $filename value until the issue is resolved.