CVE-2023-24249 - Githubissues

z-song / laravel-admin

Build a full-featured administrative interface in ten minutes

https://laravel-admin.org

MIT License

11.13k stars 2.81k forks source link

CVE-2023-24249 #5726

Closed xiaoWangSec closed 1 year ago

xiaoWangSec commented 1 year ago

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24249

alexoleynik0 commented 1 year ago

I've "fixed" this by adding mime rule to all my $form->image calls (I've created my custom field, actually). As for auth/setting route form, you can extend Encore\Admin\Controllers\AuthController in your controllers, edit/remove "avatar" field, and set path to your new controller in config/admin.php -- "auth.controller".

javier-ceron commented 1 year ago

Check this: https://github.com/z-song/laravel-admin/pull/5805/files