Описание
PHP-IMAP is a wrapper for common IMAP communication without the need to have the php-imap module installed / enabled. Prior to version 5.3.0, an unsanitized attachment filename allows any unauthenticated user to leverage a directory traversal vulnerability, which results in a remote code execution vulnerability. Every application that stores attachments with Attachment::save() without providing a $filename or passing unsanitized user input is affected by this attack.
An attacker can send an email with a malicious attachment to the inbox, which gets crawled with webklex/php-imap or webklex/laravel-imap. Prerequisite for the vulnerability is that the script stores the attachments without providing a $filename, or providing an unsanitized $filename, in src/Attachment::save(string $path, string $filename = null). In this case, where no $filename gets passed into the Attachment::save() method, the package would use a series of unsanitized and insecure input values from th
Ссылки
- Product
- Product
- Patch
- Release Notes
- ExploitVendor Advisory
- Product
- Product
- Patch
- Release Notes
- ExploitVendor Advisory
Уязвимые конфигурации
EPSS
9 Critical
CVSS3
9.8 Critical
CVSS3
Дефекты
Связанные уязвимости
PHP-IMAP is a wrapper for common IMAP communication without the need to have the php-imap module installed / enabled. Prior to version 5.3.0, an unsanitized attachment filename allows any unauthenticated user to leverage a directory traversal vulnerability, which results in a remote code execution vulnerability. Every application that stores attachments with `Attachment::save()` without providing a `$filename` or passing unsanitized user input is affected by this attack. An attacker can send an email with a malicious attachment to the inbox, which gets crawled with `webklex/php-imap` or `webklex/laravel-imap`. Prerequisite for the vulnerability is that the script stores the attachments without providing a `$filename`, or providing an unsanitized `$filename`, in `src/Attachment::save(string $path, string $filename = null)`. In this case, where no `$filename` gets passed into the `Attachment::save()` method, the package would use a series of unsanitized and insecure input values from ...
php-imap vulnerable to RCE through a directory traversal vulnerability
EPSS
9 Critical
CVSS3
9.8 Critical
CVSS3