Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zZnZmLTJncDQtODl3cc00LA
Possibility for Denial of Service by overwriting PHP files with language exports
Impact
Laravel Translation Manager didn't check the locale name, which allowed directory traversal when exporting files. The content would be a PHP file returning an array of translations, but this could lead to unexpected results, like denial of service. Access to the Laravel Translation Manager is required, because a new locale would have to be added and published.
Patches
Version 0.6.2 fixes this issue.
Workarounds
Only allow trusted admins to publish/edit translations.
References
https://github.com/barryvdh/laravel-translation-manager/pull/417
For more information
If you have any questions or comments about this advisory:
- Open an issue in https://github.com/barryvdh/laravel-translation-manager
- Email me (see Github profile)
Credits
Found and reported by Natalia Trojanowska
Permalink: https://github.com/advisories/GHSA-3fvf-2gp4-89wqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zZnZmLTJncDQtODl3cc00LA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-3fvf-2gp4-89wq
References:
- https://github.com/barryvdh/laravel-translation-manager/security/advisories/GHSA-3fvf-2gp4-89wq
- https://github.com/advisories/GHSA-3fvf-2gp4-89wq
Blast Radius: 0.0
Affected Packages
packagist:barryvdh/laravel-translation-manager
Dependent packages: 17Dependent repositories: 404
Downloads: 2,445,785 total
Affected Version Ranges: < 0.6.2
Fixed in: 0.6.2
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.5.9, 0.5.10, 0.6.0, 0.6.1
All unaffected versions: 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6