Impact
Laravel Translation Manager didn't check the locale name, which allowed directory traversal when exporting files. The content would be a PHP file returning an array of translations, but this could lead to unexpected results, like denial of service. Access to the Laravel Translation Manager is required, because a new locale would have to be added and published.
Patches
Version 0.6.2 fixes this issue.
Workarounds
Only allow trusted admins to publish/edit translations.
References
#417
For more information
If you have any questions or comments about this advisory:
Credits
Found and reported by Natalia Trojanowska
Impact
Laravel Translation Manager didn't check the locale name, which allowed directory traversal when exporting files. The content would be a PHP file returning an array of translations, but this could lead to unexpected results, like denial of service. Access to the Laravel Translation Manager is required, because a new locale would have to be added and published.
Patches
Version 0.6.2 fixes this issue.
Workarounds
Only allow trusted admins to publish/edit translations.
References
#417
For more information
If you have any questions or comments about this advisory:
Credits
Found and reported by Natalia Trojanowska