CVE-2024-47823
published 2024-10-08CVE-2024-47823: Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`…
PriorityP358critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.82%
52.7th percentile
Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| laravel | livewire | < 2.12.7 | 2.12.7 |
| laravel | livewire | >= 3.0.0 < 3.5.2 | 3.5.2 |
| livewire | livewire | < 2.12.7 | 2.12.7 |
| livewire | livewire | — | — |
| livewire | livewire | >= 0 < 2.12.7 | 2.12.7 |
| livewire | livewire | >= 3.0.0-beta.1 < 3.5.2 | 3.5.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Livewire Remote Code Execution on File Uploads
ghsa·2024-10-08
CVE-2024-47823 [HIGH] CWE-20 Livewire Remote Code Execution on File Uploads
Livewire Remote Code Execution on File Uploads
In livewire/livewire prior to `v2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension.
If the following criteria are met, the attacker can carry out an RCE attack:
- Filename is composed of the original file name using `$file->getClientOriginalName()`
- Files stored directly on your server in a public storage disk
- Webserver is configured to execute “.php” files
### PoC
In the following scenario, an attacker could upload a file called `shell.php` with an `image/png` MIME type and execute
OSV
Livewire Remote Code Execution on File Uploads
osv·2024-10-08
CVE-2024-47823 [HIGH] Livewire Remote Code Execution on File Uploads
Livewire Remote Code Execution on File Uploads
In livewire/livewire prior to `v2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension.
If the following criteria are met, the attacker can carry out an RCE attack:
- Filename is composed of the original file name using `$file->getClientOriginalName()`
- Files stored directly on your server in a public storage disk
- Webserver is configured to execute “.php” files
### PoC
In the following scenario, an attacker could upload a file called `shell.php` with an `image/png` MIME type and execute
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-10-08
Published