Laravel Medialibrary
Monthly
File upload restriction bypass in Spatie Laravel Media Library prior to 11.23.0 allows authenticated remote attackers to upload files with double extensions (e.g., shell.php.jpg) or executable extensions missing from the blocklist (.php6, .shtml, .htaccess) due to a flawed sanitizer in FileAdder::defaultSanitizer() that only inspects the final filename suffix. Successful exploitation can lead to arbitrary PHP code execution when the application is deployed behind a legacy Apache AddHandler configuration, with no public exploit identified at time of analysis. The flaw carries a CVSS 4.0 score of 8.7 (high) reflecting high confidentiality, integrity, and availability impact.
Server-side request forgery in Spatie Laravel Medialibrary before 11.23.0 allows authenticated remote attackers to coerce the application server into issuing arbitrary outbound HTTP requests by supplying user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php. The flaw is reachable in any Laravel application that exposes addMediaFromUrl() to end-user input, and no public exploit identified at time of analysis, though the upstream patch and a VulnCheck advisory provide enough detail for trivial reproduction. With a CVSS of 7.4 and Scope:Changed, exploitation can pivot to internal services, cloud metadata endpoints, or other backend systems beyond the immediate Laravel host.
File upload restriction bypass in Spatie Laravel Media Library prior to 11.23.0 allows authenticated remote attackers to upload files with double extensions (e.g., shell.php.jpg) or executable extensions missing from the blocklist (.php6, .shtml, .htaccess) due to a flawed sanitizer in FileAdder::defaultSanitizer() that only inspects the final filename suffix. Successful exploitation can lead to arbitrary PHP code execution when the application is deployed behind a legacy Apache AddHandler configuration, with no public exploit identified at time of analysis. The flaw carries a CVSS 4.0 score of 8.7 (high) reflecting high confidentiality, integrity, and availability impact.
Server-side request forgery in Spatie Laravel Medialibrary before 11.23.0 allows authenticated remote attackers to coerce the application server into issuing arbitrary outbound HTTP requests by supplying user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php. The flaw is reachable in any Laravel application that exposes addMediaFromUrl() to end-user input, and no public exploit identified at time of analysis, though the upstream patch and a VulnCheck advisory provide enough detail for trivial reproduction. With a CVSS of 7.4 and Scope:Changed, exploitation can pivot to internal services, cloud metadata endpoints, or other backend systems beyond the immediate Laravel host.