CVE-2021-43617
PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
4Exploited in Wild
-Decision
Descriptions
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
Laravel Framework hasta la versión 8.70.2 no bloquea suficientemente la subida de contenido PHP ejecutable porque Illuminate/Validation/Concerns/ValidatesAttributes.php carece de una comprobación para los archivos .phar, que se manejan como application/x-httpd-php en sistemas basados en Debian. NOTA: este registro CVE es para Laravel Framework, y no está relacionado con ningún informe sobre aplicaciones de usuario escritas incorrectamente para la carga de imágenes
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-11-14 CVE Reserved
- 2021-11-14 CVE Published
- 2021-11-15 First Exploit
- 2024-08-04 CVE Updated
- 2024-09-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://github.com/laravel/framework/blob/2049de73aa099a113a287587df4cc522c90961f5/src/Illuminate/Validation/Concerns/ValidatesAttributes.php#L1331-L1333 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/50525 | 2021-11-15 | |
| https://github.com/kombat1/CVE-2021-43617 | 2021-11-22 | |
| https://github.com/Sybelle03/CVE-2021-43617 | 2023-06-08 | |
| https://github.com/aweiiy/CVE-2021-43617 | 2022-08-03 |
| URL | Date | SRC |
|---|