Vulnerabilities ›

CVE-2019-25673

High

CWE-434 — Weakness Type

                    Published: Apr 5, 2026                      ·  Modified: Apr 12, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 contain an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by sending multipart form data to the upload endpoint. Attackers can upload PHP files with the type parameter set to Files and execute arbitrary code by accessing the uploaded file through the working directory path.

🤖 AI Executive Summary

CVE-2019-25673 is a critical arbitrary file upload vulnerability in UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 that allows authenticated attackers to upload and execute malicious PHP files. The vulnerability exploits insufficient file type validation on the upload endpoint, enabling remote code execution (RCE) on affected servers. With a CVSS score of 8.8 and no available patch, this poses an immediate threat to organizations using this component in their Laravel applications.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 01:57

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi organizations using Laravel-based applications with UniSharp File Manager, particularly in: (1) Banking sector (SAMA-regulated institutions) using Laravel for internal portals or customer-facing applications; (2) Government agencies (NCA oversight) deploying Laravel applications for document management; (3) Healthcare providers managing patient records through Laravel systems; (4) Telecommunications companies (STC, Mobily) using Laravel for administrative interfaces; (5) E-commerce and fintech startups in the Saudi digital economy. The RCE capability enables complete server compromise, data exfiltration, and lateral movement within organizational networks.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare and Medical Services Telecommunications E-commerce and Retail Fintech and Digital Payment Education and Universities Energy and Utilities

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1434 - Exploit Remote Services T1190 - Exploit Public-Facing Application (file upload endpoint) T1059 - Command and Scripting Interpreter (PHP code execution) T1505 - Server Software Component (Laravel File Manager compromise) T1570 - Lateral Tool Transfer (uploading malicious tools) T1041 - Exfiltration Over C2 Channel (data theft via RCE)

⚖️ Saudi Risk Score (AI)

8.5

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all instances of UniSharp Laravel File Manager v2.0.0-alpha7 and v2.0 in your environment using dependency scanning tools (composer show, npm audit)

2. Restrict access to the file upload endpoint to authorized users only via network ACLs and WAF rules

3. Disable the file manager component if not actively used

4. Review upload logs for suspicious PHP file uploads or unusual file types

PATCHING GUIDANCE:

1. Upgrade to a patched version if available from UniSharp repository (check GitHub releases)

2. If no patch available, migrate to alternative Laravel file management packages (Laravel File Manager, Spatie Media Library)

3. Contact UniSharp developers for security advisory status

COMPENSATING CONTROLS:

1. Implement strict file type validation on server-side (whitelist allowed extensions: jpg, png, pdf, docx only)

2. Store uploaded files outside web root directory to prevent direct execution

3. Disable PHP execution in upload directories via .htaccess (php_flag engine off) or nginx configuration

4. Implement Content Security Policy (CSP) headers to prevent inline script execution

5. Deploy Web Application Firewall (WAF) rules to block multipart requests with PHP file extensions

6. Enable file integrity monitoring on upload directories

DETECTION RULES:

1. Monitor POST requests to /upload endpoints with Content-Type: multipart/form-data containing .php extensions

2. Alert on file creation in upload directories with executable extensions (php, phtml, php3, php4, php5, phar)

3. Track access to uploaded files via web server logs for suspicious execution patterns

4. Monitor process execution from web server user (www-data, apache) spawning shell processes

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع حالات UniSharp Laravel File Manager v2.0.0-alpha7 و v2.0 في بيئتك باستخدام أدوات فحص التبعيات (composer show, npm audit)

2. تقييد الوصول إلى نقطة نهاية التحميل للمستخدمين المصرح لهم فقط عبر قوائم التحكم في الوصول للشبكة وقواعد WAF

3. تعطيل مكون مدير الملفات إذا لم يكن قيد الاستخدام النشط

4. مراجعة سجلات التحميل للملفات PHP المريبة أو أنواع الملفات غير المعتادة

إرشادات التصحيح:

1. الترقية إلى نسخة مصححة إن توفرت من مستودع UniSharp (تحقق من إصدارات GitHub)

2. إذا لم يكن هناك تصحيح متاح، انتقل إلى حزم إدارة ملفات Laravel بديلة (Laravel File Manager, Spatie Media Library)

3. اتصل بمطوري UniSharp للحصول على حالة التنبيه الأمني

الضوابط التعويضية:

1. تنفيذ التحقق الصارم من نوع الملف على جانب الخادم (قائمة بيضاء للامتدادات المسموحة: jpg, png, pdf, docx فقط)

2. تخزين الملفات المحملة خارج دليل الويب لمنع التنفيذ المباشر

3. تعطيل تنفيذ PHP في أدلة التحميل عبر .htaccess (php_flag engine off) أو إعدادات nginx

4. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ البرامج النصية المضمنة

5. نشر قواعد جدار الحماية (WAF) لحظر طلبات multipart التي تحتوي على امتدادات ملفات PHP

6. تفعيل مراقبة سلامة الملفات في أدلة التحميل

قواعد الكشف:

1. مراقبة طلبات POST إلى نقاط نهاية /upload مع Content-Type: multipart/form-data تحتوي على امتدادات .php

2. تنبيه عند إنشاء ملفات في أدلة التحميل بامتدادات قابلة للتنفيذ (php, phtml, php3, php4, php5, phar)

3. تتبع الوصول إلى الملفات المحملة عبر سجلات خادم الويب لأنماط التنفيذ المريبة

4. مراقبة تنفيذ العمليات من مستخدم خادم الويب (www-data, apache) الذي يولد عمليات shell

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.14.2.1 - Secure development policy (insecure file upload handling) A.14.2.5 - Secure development environment (vulnerable component usage) A.12.6.1 - Management of technical vulnerabilities (unpatched software) A.12.3.1 - Configuration management (insecure upload endpoint configuration)

🔵 SAMA CSF

ID.SC-4 - Supply chain risk management (vulnerable third-party components) PR.DS-1 - Data security (file upload validation controls) PR.AC-1 - Access control (authentication bypass via file upload) DE.CM-1 - Detection and analysis (monitoring file uploads)

🟡 ISO 27001:2022

A.14.2.1 - Secure development and change management A.14.2.5 - Secure development environment A.12.6.1 - Management of technical vulnerabilities A.12.3.1 - Configuration management A.13.1.3 - Segregation of networks

🟣 PCI DSS v4.0

6.2 - Ensure security patches are installed 6.5.8 - Improper access control (file upload vulnerability) 11.2 - Vulnerability scanning and remediation

🔗 References & Sources 4

🔗

https://github.com/UniSharp/laravel-filemanager

disclosure@vulncheck.com

🔗

https://github.com/UniSharp/laravel-filemanager/issues/356

disclosure@vulncheck.com

🔗

https://www.exploit-db.com/exploits/46389

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/unisharp-laravel-file-manager-alpha7-arbitrary-fil...

disclosure@vulncheck.com

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-434

EPSS0.06%

Exploit No

Patch ✗ No

Published 2026-04-05

Source Feed nvd

🇸🇦 Saudi Risk Score

8.5

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-434

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2019-25673

Introduce Yourself

Sign In Required