CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-28254
https://notcve.org/view.php?id=CVE-2021-28254
18 Apr 2023 — A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands. • https://s1mple-top.github.io/2021/03/09/Laravel8-new-pop-chain-mining-process • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.2EPSS: 2%CPEs: 3EXPL: 0CVE-2021-21263 – Query Binding Exploitation in Laravel
https://notcve.org/view.php?id=CVE-2021-21263
19 Jan 2021 — Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply l... • https://blog.laravel.com/security-laravel-62011-7302-8221-released • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 94%CPEs: 2EXPL: 36CVE-2021-3129 – Laravel Ignition File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2021-3129
12 Jan 2021 — Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. Ignition versiones anteriores a 2.5.2, como es usado en Laravel y otros productos, permite a atacantes remotos no autenticados ejecutar código arbitrario debido a un uso no seguro de las funciones file_get_contents() y file_put_contents(... • https://packetstorm.news/files/id/165999 •