Unrestricted Upload of Executable PHP Content in Laravel Framework

Unrestricted Upload of Executable PHP Content in Laravel Framework

CVE-2021-43617 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.

Learn more about our Cis Benchmark Audit For Debian Linux.