FileManager provides a Backpack admin interface for files and folder. Prior to 3.0.9, deserialization of untrusted data from the mimes parameter could lead to remote code execution. This vulnerability is fixed in 3.0.9.
Metrics
CVSS Version: 3.1 |
Base Score: 7.7 HIGH Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
l➤ Exploitability Metrics: Attack Vector (AV)* NETWORK Attack Complexity (AC)* HIGH Privileges Required (PR)* HIGH User Interaction (UI)* REQUIRED Scope (S)* CHANGED
l➤ Impact Metrics: Confidentiality Impact (C)* HIGH Integrity Impact (I)* HIGH Availability Impact (A)* HIGH
Weakness Enumeration (CWE)
CWE-ID: CWE-502 CWE Name: CWE-502: Deserialization of Untrusted Data Source: Laravel-Backpack
Common Attack Pattern Enumeration and Classification (CAPEC)