This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading.
An attacker may be able to reproduce the following steps:
Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in here.
{
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "0.0.0"
}
],
"source": "CPE_RANGE",
"vendor_product": "unisharp:laravel-filemanager",
"cpes": [
"cpe:2.3:a:unisharp:laravel-filemanager:*:*:*:*:*:*:*:*"
]
}
]
}