CVE-2018-8947 - rap2hpoutre Laravel Log Viewer before v0.13.0 relies on Base64 encoding for l, dl, and del requests,

CVE-2018-8947

Summary

rap2hpoutre Laravel Log Viewer before v0.13.0 relies on Base64 encoding for l, dl, and del requests, which makes it easier for remote attackers to bypass intended access restrictions, as demonstrated by reading arbitrary files via a dl request.

References

Vulnerable Configurations

cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.2:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.2:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.3:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.3:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.4:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.4:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.5:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.5:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.6:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.6:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.7:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.7:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.8:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.8:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.9:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.9:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.10:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.1.10:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.2:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.2:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.3:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.3:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.4:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.4:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.5:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.5:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.6:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.6:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.7:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.7:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.8:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.2.8:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.4.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.4.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.4.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.4.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.4.2:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.4.2:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.4.3:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.4.3:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.5.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.5.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.5.2:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.5.2:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.5.3:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.5.3:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.6.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.6.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.6.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.6.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.7.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.7.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.8.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.8.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.8.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.8.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.9.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.9.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.10.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.10.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.10.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.10.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.10.2:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.10.2:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.10.3:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.10.3:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.10.4:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.10.4:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.11.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.11.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.11.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.11.1:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.11.2:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.11.2:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.12.0:*:*:*:*:*:*:*
cpe:2.3:a:laravel_log_viewer_project:laravel_log_viewer:0.12.0:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:

CWE

CWE-312

CAPEC

Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:N

refmap via4

exploit-db	44343
misc	https://github.com/rap2hpoutre/laravel-log-viewer/commit/cda89c06dc5331d06fab863d7cb1c4047ad68357 https://github.com/rap2hpoutre/laravel-log-viewer/releases/tag/v0.13.0

Last major update

03-10-2019 - 00:03

Published

25-03-2018 - 16:29

Last modified

03-10-2019 - 00:03