Filament PHP CVE-2024-51758: Exported Files Stored in Public Filesystem

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Title: Exported files stored in default (public) filesystem if not reconfigured - Severity: Low - Publisher: danharrin - Published: 3 days ago - Package Name: filament/actions (PHP) - Affected Versions: >= 3.2.0, = 3.2.123 2. Vulnerability Details: - Summary: All Filament features interacting with storage use the configuration option. By default, it is set to , allowing users to easily switch to production-ready storage drivers like S3 during deployment without changing multiple configuration options. - Description: Some Filament features, such as exporting, rely on storage, and stored files may contain data that should not be publicly accessible. The default setting of may lead to security vulnerabilities. - Mitigation: A fix has been implemented: if the default is set to , the export functionality will automatically switch to if available. Users can continue using by explicitly setting . 3. Vulnerability Information: - CVE ID: CVE-2024-51758 - CWE ID: CWE-1188 - Description: Use of insecure default values during resource initialization. - Impact: Unauthorized users can read exported files. - Vulnerable Component: https://github.com/filamentphp/filament/blob/3.x/packages/actions/src/Exports/Exporter.php#L144-L153 - Exploit Conditions: Unauthorized user - Researcher: Vladislav Gladky (Positive Technologies) 4. Additional Information: - CVSS v4 Base Metrics: AV:N/AC:L/AT:P/PR:N/UI:P/RC:L/RL:N/CL:N/SC:N/CI:N/IA:N/AF:N - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Passive - Vulnerable System Impact Metrics: - Confidentiality: Low - Integrity: None - Availability: None - CWE ID: CWE-1188 - Contributors: danharrin (Coordinator), catferq (Finder) This information provides a detailed description of the vulnerability, its scope of impact, mitigation measures, and relevant security metrics.

Goal Reached Thanks to every supporter — we hit 100%!

Filament PHP CVE-2024-51758: Exported Files Stored in Public Filesystem

More from this source