CVE-2024-52306 – backpack/filemanager

Package

Manager: composer
Name: backpack/filemanager
Vulnerable Version: >=3.0.0 <3.0.9 || >=0 <2.0.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01115 pctl0.77358

Details

FileManager Deserialization of Untrusted Data vulnerability ### Impact Deserialization of untrusted data from the `mimes` parameter could lead to remote code execution. ### Patches Fixed in 3.0.9 ### Workarounds Not needed, a `composer update` will solve it in a non-breaking way. ### References Reported responsibly [Vladislav Gladkiy](https://github.com/catferq) at [Positive Technologies](https://www.ptsecurity.com/ww-en/).

Metadata

Created: 2024-11-13T18:43:02Z
Modified: 2024-11-18T20:35:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-8237-957h-h2c2/GHSA-8237-957h-h2c2.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-8237-957h-h2c2
Finding: F096
Auto approve: 1