composer update backpack/filemanager
# remove the published blade views
rm -rf resources/views/vendor/elfinder
# publish the new blade views
php artisan backpack:filemanager:install
# clear the basset cache and cache all assets again
php artisan basset:fresh
# or, if you don't want to do the above, just cache the new asset:
php artisan basset:cache
You can see more about the vulnerability here. As specified there, "This vulnerability can be exploited by allowing untrusted users to write to the local file system.". We believe most of the developers that use our package use it for ADMINS, not USERS, so they should be safe. But you should do the steps above nonetheless.
This package is just a wrapper around barryvdh/laravel-elfinder, which is just a wrapper around Studio-42/elFinder. In v2.1.62 this package has received an important security fix.
We have bumped the version in https://github.com/Laravel-Backpack/FileManager/releases/tag/3.0.6 to get that fix too. But since the version is inside blade files that are published, to properly get the new version you need to do:
You can see more about the vulnerability here. As specified there, "This vulnerability can be exploited by allowing untrusted users to write to the local file system.". We believe most of the developers that use our package use it for ADMINS, not USERS, so they should be safe. But you should do the steps above nonetheless.
Hope it helps!