CVE-2024-21546: 
PHP vulnerability analysis and mitigation

CVE-2024-21546 affects versions of the package unisharp/laravel-filemanager before 2.9.1. The vulnerability was discovered on December 18, 2024, and allows Remote Code Execution (RCE) through file upload functionality. The vulnerability affects the Laravel file management package used in web applications (NVD, CVE).

The vulnerability exists in the file upload functionality where attackers can bypass security controls by using a valid mimetype and inserting the '.' character after the php file extension (e.g., 'filename.php.'). Although the application has mechanisms to prevent users from uploading files with extensions like PHP, HTML and mimetypes text/x-php, text/html, text/plain, this bypass technique allows for successful upload of malicious files. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical) and CVSS v4.0 score of 8.9 (High) (Snyk).

The vulnerability allows attackers to execute arbitrary code on the affected system through uploaded malicious files. This can lead to complete system compromise, as successful exploitation provides attackers with the ability to execute commands on the server hosting the vulnerable application (NVD).

The vulnerability has been patched in version 2.9.1 of unisharp/laravel-filemanager. The fix includes additional validation to prevent special characters in file extensions. Users should upgrade to version 2.9.1 or later to address this vulnerability (GitHub Commit).