Description

Laravel log viewer is a log viewer for Laravel 5 (compatible with 4.2 too) and Lumen.

Laravel Log Viewer before version v0.13.0 relies on Base64 encoding of filenames for l, dl, and del endpoints, which makes it easier for remote attackers to bypass access restrictions, as demonstrated by reading arbitrary files via a dl request.

Remediation

Upgrade to the latest version of Laravel Log Viewer. This vulnerability was fixed in Laravel Log Viewer v0.13.0.

References

Laravel Log Viewer Local File Download

Laravel Log Viewer v0.13.0

Related Vulnerabilities

WordPress Plugin WP Post Popup Directory Traversal (2.1.1)

WordPress Plugin WP-DBManager 'wp-config.php' Arbitrary File Download (2.60)

Typo3 Restler 1.7.0 Local File Disclosure

WordPress Plugin Recent Backups Arbitrary File Download (0.7)

MySQL Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2010-1848)

Severity

High

Classification

CVE-2018-8947 CWE-22 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Directory Traversal File Inclusion