Description
Laravel-Mediable before 7.0.0 contains a path traversal vulnerability in the File::sanitizePath() function that allows attackers to write uploaded files to arbitrary locations by controlling the directory argument passed to MediaUploader::toDestination(). Attackers can exploit the permissive character-class regex that allows both dot and slash characters combined with an ineffective trailing trim() call to bypass sanitization and upload files to sensitive locations such as the document root, environment configuration files, or application configuration directories, enabling remote code execution.
Problem types
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Product status
Any version before 7.0.0
Credits
Xurshidbek Sobirjonov
VulnCheck
References
github.com/plank/laravel-mediable/releases/tag/7.0.0 (laravel-mediable 7.0.0 Release Notes)
github.com/...ommit/6d1e7fb39922fdfb3b2d120e13f4eb2e653ae082 (Patch Commit)
www.vulncheck.com/...le-path-traversal-via-file-sanitizepath