Опубликовано: 12 авг. 2024
Источник: github
Github: Прошло ревью
CVSS4: 8.7
CVSS3: 7.5
Описание
Filament Excel Vulnerable to Path Traversal Attack on Export Download Endpoint
Impact
The export download route /filament-excel/{path} allowed downloading any file without login when the webserver allows ../ in the URL.
Patches
Patched with Version v2.3.3
Credits
Thanks to Kevin Pohl for reporting this.
Ссылки
- https://github.com/pxlrbt/filament-excel/security/advisories/GHSA-m3px-vjxr-fx4m
- https://nvd.nist.gov/vuln/detail/CVE-2024-42485
- https://github.com/pxlrbt/filament-excel/commit/af36f933b032aefccc87d17431b6e74673b04af5
- https://github.com/pxlrbt/filament-excel/commit/bda42891a4b0c15d5dab5da8c53a006ddadccfb7
- https://github.com/pxlrbt/filament-excel/releases/tag/v1.1.14
Пакеты
Наименование
pxlrbt/filament-excel
composer
Затронутые версииВерсия исправления
>= 2.0.0-alpha, < 2.3.3
2.3.3
Наименование
pxlrbt/filament-excel
composer
Затронутые версииВерсия исправления
< 1.1.14
1.1.14
Связанные уязвимости
CVSS3: 7.5
nvd
больше 1 года назад
Filament Excel enables excel export for Filament admin resources. The export download route `/filament-excel/{path}` allowed downloading any file without login when the webserver allows `../` in the URL. Patched with Version v2.3.3.