Laravel Mediable
Monthly
Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored XSS in Laravel-Mediable before 7.0.0 allows network-accessible, unauthenticated attackers to persist malicious JavaScript payloads by uploading crafted SVG files containing embedded scripts in onload handlers, script tags, or foreignObject elements. When any authenticated user subsequently opens or previews a poisoned file in their browser, the payload executes with full DOM access, enabling session cookie theft, CSRF token capture, and complete account takeover. No public exploit has been identified at time of analysis, but the attack requires no special privileges and the technique is well-understood; the vendor has classified this as a security release and strongly recommends immediate upgrade to 7.0.0.
Arbitrary file write in the Plank Laravel-Mediable package (before 7.0.0) lets an attacker who influences the destination directory of MediaUploader::toDestination() plant uploaded files outside the intended storage path, culminating in remote code execution. The flaw stems from a weak File::sanitizePath() regex that permits both '.' and '/' characters plus an ineffective trailing trim(), so '../' traversal sequences survive sanitization and files can land in the document root, .env, or config directories. No public exploit has been identified at time of analysis, but a vendor patch (7.0.0) exists and the issue was reported by VulnCheck.
Server-side request forgery in Laravel-Mediable before 7.0.0 enables network-accessible, low-privilege attackers to issue arbitrary HTTP requests originating from the server by supplying unvalidated URLs to any application endpoint backed by MediaUploader::fromSource(). The RemoteUrlAdapter class accepts caller-controlled URLs without restricting schemes, IP ranges, or hostnames, allowing requests to RFC-1918 addresses, loopback interfaces, file:// URIs, and cloud instance metadata endpoints such as AWS IMDSv1 at 169.254.169.254. In cloud deployments, successful exploitation can yield IAM temporary credentials, enabling privilege escalation far beyond the base CVSS score of 5.3 would suggest. No public exploit or CISA KEV listing exists at time of analysis.
Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored XSS in Laravel-Mediable before 7.0.0 allows network-accessible, unauthenticated attackers to persist malicious JavaScript payloads by uploading crafted SVG files containing embedded scripts in onload handlers, script tags, or foreignObject elements. When any authenticated user subsequently opens or previews a poisoned file in their browser, the payload executes with full DOM access, enabling session cookie theft, CSRF token capture, and complete account takeover. No public exploit has been identified at time of analysis, but the attack requires no special privileges and the technique is well-understood; the vendor has classified this as a security release and strongly recommends immediate upgrade to 7.0.0.
Arbitrary file write in the Plank Laravel-Mediable package (before 7.0.0) lets an attacker who influences the destination directory of MediaUploader::toDestination() plant uploaded files outside the intended storage path, culminating in remote code execution. The flaw stems from a weak File::sanitizePath() regex that permits both '.' and '/' characters plus an ineffective trailing trim(), so '../' traversal sequences survive sanitization and files can land in the document root, .env, or config directories. No public exploit has been identified at time of analysis, but a vendor patch (7.0.0) exists and the issue was reported by VulnCheck.
Server-side request forgery in Laravel-Mediable before 7.0.0 enables network-accessible, low-privilege attackers to issue arbitrary HTTP requests originating from the server by supplying unvalidated URLs to any application endpoint backed by MediaUploader::fromSource(). The RemoteUrlAdapter class accepts caller-controlled URLs without restricting schemes, IP ranges, or hostnames, allowing requests to RFC-1918 addresses, loopback interfaces, file:// URIs, and cloud instance metadata endpoints such as AWS IMDSv1 at 169.254.169.254. In cloud deployments, successful exploitation can yield IAM temporary credentials, enabling privilege escalation far beyond the base CVSS score of 5.3 would suggest. No public exploit or CISA KEV listing exists at time of analysis.