CVE-2024-47823 (GCVE-0-2024-47823)
Vulnerability from cvelistv5
Published
2024-10-08 17:48
Modified
2025-07-17 18:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a “.php” file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute “.php” files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:laravel:livewire:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "livewire",
"vendor": "laravel",
"versions": [
{
"lessThan": "3.5.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47823",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T18:28:08.506159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T18:35:08.099Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "livewire",
"vendor": "livewire",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-beta.1, \u003c 3.5.2"
},
{
"status": "affected",
"version": "\u003c 2.12.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a \u201c.php\u201d file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file-\u003egetClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute \u201c.php\u201d files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T18:22:08.024Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/livewire/livewire/security/advisories/GHSA-f3cx-396f-7jqp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/livewire/livewire/security/advisories/GHSA-f3cx-396f-7jqp"
},
{
"name": "https://github.com/livewire/livewire/pull/8624",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/livewire/livewire/pull/8624"
},
{
"name": "https://github.com/livewire/livewire/commit/70503b79f5db75a1eac9bf55826038a6ee5a16d5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/livewire/livewire/commit/70503b79f5db75a1eac9bf55826038a6ee5a16d5"
},
{
"name": "https://github.com/livewire/livewire/commit/cd168c6212ea13d13b82b3132485741f82d9fad9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/livewire/livewire/commit/cd168c6212ea13d13b82b3132485741f82d9fad9"
}
],
"source": {
"advisory": "GHSA-f3cx-396f-7jqp",
"discovery": "UNKNOWN"
},
"title": "Livewire Remote Code Execution (RCE) on File Uploads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47823",
"datePublished": "2024-10-08T17:48:36.496Z",
"dateReserved": "2024-10-03T14:06:12.640Z",
"dateUpdated": "2025-07-17T18:22:08.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-47823\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-10-08T18:15:31.370\",\"lastModified\":\"2025-03-06T14:24:40.890\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a \u201c.php\u201d file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file-\u003egetClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute \u201c.php\u201d files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Livewire es un framework full-stack para Laravel que permite componentes de UI din\u00e1micos sin salir de PHP. En livewire/livewire `\u0026lt; v3.5.2`, la extensi\u00f3n de archivo de un archivo cargado se adivina en funci\u00f3n del tipo MIME. Como resultado, la extensi\u00f3n de archivo real del nombre de archivo no se valida. Por lo tanto, un atacante puede eludir la validaci\u00f3n cargando un archivo con un tipo MIME v\u00e1lido (por ejemplo, `image/png`) y una extensi\u00f3n de archivo \u201c.php\u201d. Si se cumplen los siguientes criterios, el atacante puede llevar a cabo un ataque RCE: 1. El nombre de archivo est\u00e1 compuesto por el nombre de archivo original utilizando `$file-\u0026gt;getClientOriginalName()`. 2. Archivos almacenados directamente en su servidor en un disco de almacenamiento p\u00fablico. 3. El servidor web est\u00e1 configurado para ejecutar archivos \u201c.php\u201d. Este problema se ha solucionado en la versi\u00f3n de lanzamiento 3.5.2. Se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:laravel:livewire:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.12.7\",\"matchCriteriaId\":\"B6446531-ADA1-4E07-927F-1AB6E0169262\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:laravel:livewire:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.5.2\",\"matchCriteriaId\":\"8834EF93-2302-41B4-A5D2-2918D4740BB3\"}]}]}],\"references\":[{\"url\":\"https://github.com/livewire/livewire/commit/70503b79f5db75a1eac9bf55826038a6ee5a16d5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/livewire/livewire/commit/cd168c6212ea13d13b82b3132485741f82d9fad9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/livewire/livewire/pull/8624\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Issue Tracking\"]},{\"url\":\"https://github.com/livewire/livewire/security/advisories/GHSA-f3cx-396f-7jqp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-47823\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-08T18:28:08.506159Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:laravel:livewire:*:*:*:*:*:wordpress:*:*\"], \"vendor\": \"laravel\", \"product\": \"livewire\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.5.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-08T18:33:17.239Z\"}}], \"cna\": {\"title\": \"Livewire Remote Code Execution (RCE) on File Uploads\", \"source\": {\"advisory\": \"GHSA-f3cx-396f-7jqp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"livewire\", \"product\": \"livewire\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.0.0-beta.1, \u003c 3.5.2\"}, {\"status\": \"affected\", \"version\": \"\u003c 2.12.7\"}]}], \"references\": [{\"url\": \"https://github.com/livewire/livewire/security/advisories/GHSA-f3cx-396f-7jqp\", \"name\": \"https://github.com/livewire/livewire/security/advisories/GHSA-f3cx-396f-7jqp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/livewire/livewire/pull/8624\", \"name\": \"https://github.com/livewire/livewire/pull/8624\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/livewire/livewire/commit/70503b79f5db75a1eac9bf55826038a6ee5a16d5\", \"name\": \"https://github.com/livewire/livewire/commit/70503b79f5db75a1eac9bf55826038a6ee5a16d5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/livewire/livewire/commit/cd168c6212ea13d13b82b3132485741f82d9fad9\", \"name\": \"https://github.com/livewire/livewire/commit/cd168c6212ea13d13b82b3132485741f82d9fad9\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a \\u201c.php\\u201d file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file-\u003egetClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute \\u201c.php\\u201d files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-17T18:22:08.024Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-47823\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-17T18:22:08.024Z\", \"dateReserved\": \"2024-10-03T14:06:12.640Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-10-08T17:48:36.496Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…