Skip to content

Possibility for Denial of Service by overwriting PHP files with language exports

Moderate severity GitHub Reviewed Published Mar 17, 2022 in barryvdh/laravel-translation-manager • Updated Jan 11, 2023

Package

composer barryvdh/laravel-translation-manager (Composer)

Affected versions

< 0.6.2

Patched versions

0.6.2

Description

Impact

Laravel Translation Manager didn't check the locale name, which allowed directory traversal when exporting files. The content would be a PHP file returning an array of translations, but this could lead to unexpected results, like denial of service. Access to the Laravel Translation Manager is required, because a new locale would have to be added and published.

Patches

Version 0.6.2 fixes this issue.

Workarounds

Only allow trusted admins to publish/edit translations.

References

barryvdh/laravel-translation-manager#417

For more information

If you have any questions or comments about this advisory:

Credits

Found and reported by Natalia Trojanowska

References

@barryvdh barryvdh published to barryvdh/laravel-translation-manager Mar 17, 2022
Published to the GitHub Advisory Database Mar 18, 2022
Reviewed Mar 18, 2022
Last updated Jan 11, 2023

Severity

Moderate

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-3fvf-2gp4-89wq

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.