Description

Laravel log viewer is a log viewer for Laravel 5 (compatible with 4.2 too) and Lumen.

Laravel Log Viewer before version v0.13.0 relies on Base64 encoding of filenames for l, dl, and del endpoints, which makes it easier for remote attackers to bypass access restrictions, as demonstrated by reading arbitrary files via a dl request.

Remediation

Upgrade to the latest version of Laravel Log Viewer. This vulnerability was fixed in Laravel Log Viewer v0.13.0.

References

Laravel Log Viewer Local File Download

Laravel Log Viewer v0.13.0

Related Vulnerabilities

WordPress 4.5.3 Directory Traversal Vulnerability (4.5.3)

Grandnode Path Traversal (CVE-2019-12276)

WordPress Plugin True Ranker Directory Traversal (2.2.2)

WordPress Plugin zM Ajax Login & Register Multiple Vulnerabilities (1.0.9)

Wordpress Plugin Backup Migration Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2023-6972)

Severity

High

Classification

CVE-2018-8947 CWE-22 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Directory Traversal File Inclusion