Livewire Filemanager Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Livewire Filemanager, a package commonly used in Laravel applications. The issue arises in the LivewireFilemanagerComponent.php file, where the component fails to validate file types and MIME types during uploads. This oversight allows users to upload malicious PHP files, which can then be executed via the /storage/ URL, provided that the application has undergone a typical setup process that includes linking the storage directory.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server, executed as the web server user. This access could be used to read and write files available to that user, and potentially compromise connected devices.

Remediation

As of now, the vendor has not acknowledged this vulnerability. However, it is recommended to exercise caution when using Laravel Filemanager. Check if the 'php artisan storage:link' command has been executed, and if so, consider removing the web serving capability of the tool.