A couple of days ago a security issue in the upload components provided by Media Library Pro was disclosed. If you were using these components to publicly allow files to be uploaded to the local filesystem, it was possible to upload executable files under the right circumstances.
Projects that only use the free spatie/laravel-medialibrary package are not affected.
We started working on the necessary fixes immediately, and have released them as a patch. We highly recommend you to upgrade to version v2.1.11 or higher. If you are on v1, then upgrade to v1.17.12
In v2.1.11 of Media Library Pro we made security-related changes to mitigate the vulnerability.
- We made temporary upload validation more strict (only files with certain mime types and extensions are allowed)
- Responses from the temporary upload endpoint return hard to guess urls
- Temporary uploads are rate limited by default
We've also improved our documentation mentioning these improvements and best practices. You can see the PR with the changes here.
What we’ll do better in the future
In the security report linked above, you'll read that we were notified of this problem in December 2021. We received an email explaining the issue, but not all points from the report were mentioned in the mail. That made it difficult for us to provide a solution at the time. We also weren’t notified when the CVE was made public, and only noticed it via Twitter recently. After reading the full report, we started working on a fix.
Moving forward, we believe we can improve how we handle security issues from our end. Instead of accepting security issues as regular mails on firstname.lastname@example.org, we're now accepting them on email@example.com. Messages sent to our security inbox will trigger a high priority notification to several members of our team.
We want to thank Kelvin Yip for having notified us of these issues, and his feedback and help in fixing them.
We take security seriously, and apologize for any inconvenience this issue may have caused. If you have any questions or remarks, simply reply to this email.