3 results (0.003 seconds)

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can lead to incorrect access control. El componente Ignition versiones anteriores a 1.16.15, y versiones 2.0.x anteriores a 2.0.6, para Laravel presenta una función "fix variable names" que puede conllevar un control de acceso incorrecto. • https://github.com/facade/ignition/compare/1.16.14...1.16.15 https://github.com/facade/ignition/compare/2.0.5...2.0.6 https://github.com/facade/ignition/pull/285 •

CVSS: 9.8EPSS: 97%CPEs: 2EXPL: 26

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. Ignition versiones anteriores a 2.5.2, como es usado en Laravel y otros productos, permite a atacantes remotos no autenticados ejecutar código arbitrario debido a un uso no seguro de las funciones file_get_contents() y file_put_contents(). Esto es explotable en sitios que usan el modo de depuración con Laravel versiones anteriores a 8.4.2 Laravel Ignition contains a file upload vulnerability that allows unauthenticated remote attackers to execute malicious code due to insecure usage of file_get_contents() and file_put_contents(). • https://www.exploit-db.com/exploits/49424 https://github.com/zhzyker/CVE-2021-3129 https://github.com/SNCKER/CVE-2021-3129 https://github.com/joshuavanderpoll/CVE-2021-3129 https://github.com/SecPros-Team/laravel-CVE-2021-3129-EXP https://github.com/knqyf263/CVE-2021-3129 https://github.com/Y0s9/CVE-2021-3129 https://github.com/FunPhishing/Laravel-8.4.2-rce-CVE-2021-3129 https://github.com/Axianke/CVE-2021-3129 https://github.com/shadowabi/Laravel-CVE-2021-3129 •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

The Ignition component before 2.0.5 for Laravel mishandles globals, _get, _post, _cookie, and _env. NOTE: in the 1.x series, versions 1.16.15 and later are unaffected as a consequence of the CVE-2021-43996 fix. El componente Ignition anterior a la versión 2.0.5 para Laravel maneja mal los globals, _get, _post, _cookie y _env. NOTA: en la serie 1.x, las versiones 1.16.15 y posteriores no están afectadas como consecuencia de la corrección de CVE-2021-43996. • https://github.com/facade/ignition/compare/2.0.4...2.0.5 https://github.com/facade/ignition/releases/tag/2.0.5 •