cbcvebase.
CVE-2022-40734
published 2022-09-14

CVE-2022-40734: UniSharp laravel-filemanager (aka Laravel Filemanager) before 2.6.4 allows download?working_dir=%2F.. directory traversal to read arbitrary files, as exploited…

PriorityP273medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.06%
89.4th percentile
UniSharp laravel-filemanager (aka Laravel Filemanager) before 2.6.4 allows download?working_dir=%2F.. directory traversal to read arbitrary files, as exploited in the wild in June 2022. This is related to league/flysystem before 2.0.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
unisharplaravel-filemanager>= 0 < 2.6.42.6.4
unisharplaravel_filemanager<= 2.5.1

Detection & IOCsextracted from sources · hover to see the quote

url/download?working_dir=%2F../../../../../../../../../../../../../../../../../../../etc&type=Files&file=passwd
url/laravel-filemanager/download?working_dir=%2F../../../../../../../../../../../../../../../../../../../etc&type=Files&file=passwd
pathdownload?working_dir=%2F..
  • Look for HTTP GET requests containing 'download?working_dir=%2F..' with path traversal sequences targeting sensitive files such as /etc/passwd
  • Shodan/FOFA fingerprinting: identify exposed Laravel Filemanager instances via HTML body content 'Laravel Filemanager' or 'laravel filemanager'
  • Successful exploitation response will contain Unix /etc/passwd content; match on regex pattern 'root:[x*]:0:0' in HTTP responses
  • Monitor both /download and /laravel-filemanager/download endpoints for the 'working_dir', 'type', and 'file' query parameters used in traversal exploitation
  • ·The vulnerability requires authenticated access (PR:L in CVSS), meaning the attacker must have low-privilege credentials to exploit the directory traversal
  • ·This CVE was actively exploited in the wild as of June 2022 and carries a very high EPSS score (91.7%), indicating high real-world exploitation probability

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.