{"id":6161,"date":"2022-03-14T00:53:46","date_gmt":"2022-03-13T16:53:46","guid":{"rendered":"https:\/\/cybersecthreat.com\/?p=6161"},"modified":"2024-04-01T13:46:45","modified_gmt":"2024-04-01T05:46:45","slug":"cve-2021-45040","status":"publish","type":"post","link":"https:\/\/cybersecthreat.com\/zh\/2022\/03\/14\/cve-2021-45040\/","title":{"rendered":"CVE-2021-45040"},"content":{"rendered":"<p>On 14 Dec 2021, we have reported a vulnerability (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-45040\">CVE-2021-45040<\/a>) for the <a href=\"https:\/\/spatie.be\/docs\/laravel-medialibrary\">Spatie media-library-pro library<\/a>. In short, the Spatie media-library-pro library through 1.17.10 and 2.x through 2.1.6 for Laravel allows remote attackers to upload executable files via the uploads route.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-introduction\">\u4ecb\u7d39<\/h2>\n\n\n\n<p>Media Library Pro is a paid add-on package for <a href=\"https:\/\/github.com\/spatie\/laravel-medialibrary\">Spatie Laravel Media Library<\/a>. Laravel Media Library Pro intended to solve file upload challenges for PHP developers by providing a convenient &#8220;Temporary Upload&#8221; function and frontend package for Blade, Livewire, React, and Vue. <\/p>\n\n\n\n<p>The &#8220;Temporary Upload&#8221; function of  Media Library Pro also provides a route macro &#8220;Route::mediaLibrary()&#8221; which will register a route at &#8220;media-library-pro\/uploads&#8221;. This is the default URI endpoint but can be changed by the developer. It accepts POST requests to upload files and store the uploaded files inside a temporary directory. However, this route Marco has <strong>NO authentication enabled by default<\/strong> for Laravel API-style design. <\/p>\n\n\n\n<p>This temporary upload route accepts 3 POST parameters including <strong>uuid<\/strong>, <strong>name<\/strong>\u53ca <strong>file<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>uuid<\/strong> is a random string in this format: c46c4540-5803-11ec-970b-00155d4e8236, and it is possible to generate a random uuid using Linux command &#8220;uuid&#8221;<\/li>\n\n\n\n<li><strong>name<\/strong> represents the file name which is an arbitrary string<\/li>\n\n\n\n<li><strong>file<\/strong> is the actual file to be upload.<\/li>\n<\/ul>\n\n\n<style>.kadence-column6161_725759-1f > .kt-inside-inner-col{display:flex;}.kadence-column6161_725759-1f > .kt-inside-inner-col,.kadence-column6161_725759-1f > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column6161_725759-1f > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column6161_725759-1f > .kt-inside-inner-col{flex-direction:column;align-items:center;}.kadence-column6161_725759-1f > .kt-inside-inner-col > .kb-image-is-ratio-size{align-self:stretch;}.kadence-column6161_725759-1f > .kt-inside-inner-col > .wp-block-kadence-advancedgallery{align-self:stretch;}.kadence-column6161_725759-1f > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column6161_725759-1f > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column6161_725759-1f{position:relative;}@media all and (max-width: 1024px){.kadence-column6161_725759-1f > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}@media all and (max-width: 767px){.kadence-column6161_725759-1f > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column6161_725759-1f\"><div class=\"kt-inside-inner-col\"><style>.kb-table-of-content-nav.kb-table-of-content-id6161_e5317a-a7 .kb-table-of-content-wrap{padding-top:var(--global-kb-spacing-sm, 1.5rem);padding-right:var(--global-kb-spacing-sm, 1.5rem);padding-bottom:var(--global-kb-spacing-sm, 1.5rem);padding-left:0px;background-color:rgba(255,255,255,0.99);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;box-shadow:0px 0px 14px 0px #abb8c3;}.kb-table-of-content-nav.kb-table-of-content-id6161_e5317a-a7 .kb-table-of-contents-title-wrap{padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id6161_e5317a-a7 .kb-table-of-contents-title{font-size:var(--global-kb-font-size-lg, 2rem);font-weight:bold;font-style:normal;text-transform:uppercase;}.kb-table-of-content-nav.kb-table-of-content-id6161_e5317a-a7 .kb-table-of-content-wrap .kb-table-of-content-list{color:#3837f5;font-size:var(--global-kb-font-size-md, 1.25rem);font-weight:regular;font-style:normal;margin-top:var(--global-kb-spacing-sm, 1.5rem);margin-right:0px;margin-bottom:0px;margin-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id6161_e5317a-a7 .kb-table-of-content-list li{margin-bottom:2px;}.kb-table-of-content-nav.kb-table-of-content-id6161_e5317a-a7 .kb-table-of-content-list li .kb-table-of-contents-list-sub{margin-top:2px;}.kb-table-of-content-nav.kb-table-of-content-id6161_e5317a-a7 .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id6161_e5317a-a7 .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id6161_e5317a-a7 .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id6161_e5317a-a7 .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id6161_e5317a-a7 .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id6161_e5317a-a7 .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:before{background-color:rgba(255,255,255,0.99);}@media all and (max-width: 1024px){.kb-table-of-content-nav.kb-table-of-content-id6161_e5317a-a7 .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}@media all and (max-width: 767px){.kb-table-of-content-nav.kb-table-of-content-id6161_e5317a-a7 .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}<\/style><\/div><\/div>\n\n\n<style>.kb-table-of-content-nav.kb-table-of-content-id6161_3bacb5-54 .kb-table-of-content-wrap{padding-top:var(--global-kb-spacing-sm, 1.5rem);padding-right:var(--global-kb-spacing-sm, 1.5rem);padding-bottom:var(--global-kb-spacing-sm, 1.5rem);padding-left:var(--global-kb-spacing-sm, 1.5rem);}.kb-table-of-content-nav.kb-table-of-content-id6161_3bacb5-54 .kb-table-of-contents-title-wrap{padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id6161_3bacb5-54 .kb-table-of-contents-title{font-weight:regular;font-style:normal;}.kb-table-of-content-nav.kb-table-of-content-id6161_3bacb5-54 .kb-table-of-content-wrap .kb-table-of-content-list{font-weight:regular;font-style:normal;margin-top:var(--global-kb-spacing-sm, 1.5rem);margin-right:0px;margin-bottom:0px;margin-left:0px;}<\/style>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-unauthenticated-arbitrary-file-upload-concern-cve-2021-45040\">Unauthenticated Arbitrary File Upload concern (CVE-2021-45040)<\/h2>\n\n\n\n<p>After a successful POST request to the route &#8220;media-library-pro\/uploads&#8221;, a JSON payload including &#8220;<strong>original_url<\/strong>&#8221; string will be returned. Therefore, the user can directly access this file. If the server is not hardened properly, this approach opened up the possibilities and lets the attacker upload a web shell because there is no filtering of file type\/extension at the temporary upload stage.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-other-concerns\">Other concerns<\/h2>\n\n\n\n<p>In addition to the above &#8220;unauthenticated arbitrary file upload&#8221; issue, there is a lack of file name length protection and rate-limiting which may also open possibilities of DDoS attack or other potential issues.<\/p>\n\n\n\n<p>Furthermore, the Media Library Pro library is a PHP software library that may be included by the other software or website, it may impact some of the website or other software packages. Therefore, it can also be classified as <strong>Supply<\/strong>&#8211;<strong>Chain vulnerability<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-simulation-environment-for-cve-2021-45040\">Simulation environment for CVE-2021-45040<\/h2>\n\n\n\n<p>Below are some components to simulate a vulnerable environment (CVE-2021-45040):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/laradock.io\/documentation\/\">Laradock<\/a> \/ <a href=\"https:\/\/www.apachefriends.org\/download.html\">XAMPP<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/getcomposer.org\/\">composer<\/a> &#8211; PHP package management tools<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/spatie\/laravel-medialibrary\">Laravel Media Library<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/spatie.be\/products\/media-library-pro\">Subscription of Laravel Media Library Pro<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.postman.com\/\">Postman<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/WhiteWinterWolf\/wwwolf-php-webshell\">A PHP Webshell<\/a> (e.g. <a href=\"https:\/\/github.com\/WhiteWinterWolf\/wwwolf-php-webshell\">wwwolf&#8217;s PHP web shell<\/a>) &#8211; <a href=\"https:\/\/github.com\/WhiteWinterWolf\/wwwolf-php-webshell\">wwwolf&#8217;s PHP web shell<\/a> is certaintly a good one, but Windows Defender treat it as malware. You can also try our modified version of PHP webshell <a href=\"https:\/\/github.com\/CyberSecThreat-Corporation-Limited\/wwwolf-php-webshell\">\u7db2\u5740<\/a>, which can evade Window Defender as of this writing.<\/li>\n<\/ul>\n\n\n\n<p>Below are instructions to setup the simulate a vulnerable environment. Firstly, we need to create a basic project skeleton:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>composer create-project --prefer-dist laravel\/laravel laravel8_medialibrarypro<\/code><\/pre>\n\n\n\n<p>Then, we need to install Laravel media Library, generate corresponding configuration and perform database migration. A complete documentation is available <a href=\"https:\/\/spatie.be\/docs\/laravel-medialibrary\/v9\/installation-setup\">\u7db2\u5740<\/a>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd laravel8_medialibrarypro\/\ncomposer require \"spatie\/laravel-medialibrary:^9.0.0\"\nphp artisan vendor:publish --provider=\"Spatie\\MediaLibrary\\MediaLibraryServiceProvider\" --tag=\"migrations\"\nphp artisan migrate\nphp artisan vendor:publish --provider=\"Spatie\\MediaLibrary\\MediaLibraryServiceProvider\" --tag=\"config\"<\/code><\/pre>\n\n\n\n<p>Before proceed the following instructions, we need to configure the repository and add license, you can refer to the documentation <a href=\"https:\/\/spatie.be\/docs\/laravel-medialibrary\/v9\/handling-uploads-with-media-library-pro\/installation\">\u7db2\u5740<\/a>. Then, we can proceed to install Laravel media library pro and generate its configuration.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>composer require spatie\/laravel-medialibrary-pro\nphp artisan vendor:publish --provider=\"Spatie\\MediaLibraryPro\\MediaLibraryProServiceProvider\" --tag=\"media-library-pro-migrations\"<\/code><\/pre>\n\n\n\n<p>Next, we can add the route and run the service:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo 'Route::mediaLibrary();' to routes\/web.php\nphp artisan serve<\/code><\/pre>\n\n\n\n<p>If everything is setup correctly, you will be able to upload webshell PHP file to the server, and able to check the value of  &#8220;original_url&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_postman_upload.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"571\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_postman_upload-1024x571.png\" alt=\"CVE-2021-45040 postman upload\" class=\"wp-image-6182\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_postman_upload-1024x571.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_postman_upload-300x167.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_postman_upload-768x428.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_postman_upload-18x10.png 18w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_postman_upload-600x334.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_postman_upload.png 1391w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">CVE-2021-45040 Postman upload screen<\/figcaption><\/figure>\n\n\n\n<p>Finally, we can access the webshell and run arbitrary command as the user of web service.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"467\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell-1024x467.png\" alt=\"CVE-2021-45040 webshell\" class=\"wp-image-6183\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell-1024x467.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell-300x137.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell-768x350.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell-1536x700.png 1536w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell-18x8.png 18w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell-600x274.png 600w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell.png 1619w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\">CVE-2021-45040 webshell screen<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-solution\">Solution<\/h2>\n\n\n\n<p>In this section, we will cover some possible solutions for CVE-2021-45040. <\/p>\n\n\n\n<p>If you are using Apache or Nginx, you can limit attacker execute the PHP webshell using configuration directives:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.nginx.com\/resources\/wiki\/start\/topics\/examples\/phpfcgi\/\">Nginx Location directives<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/httpd.apache.org\/docs\/2.4\/configuring.html\">Apache Directory\/Location directives<\/a><\/li>\n<\/ul>\n\n\n\n<p>We will also discuss another approach for each problem, but you need to do more customization:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-unauthenticated-upload\">Unauthenticated upload<\/h4>\n\n\n\n<p> Do not use Route macro, and add &#8220;auth:api&#8221; middleware. You may refer to the following sample:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Route::post('media-library\/uploads', TemporaryUpload::class)\n    -&gt;name('media-library-uploads')\n    -&gt;middleware(&#91;'auth:api'])<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-user-able-to-upload-any-kind-of-files\">User able to upload any kind of files<\/h4>\n\n\n\n<p>Adapt your new controller class, and perform validation. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-user-can-directly-access-the-original-file\">User can directly access the original file<\/h4>\n\n\n\n<p>Extend TemporaryUpload model, force image conversion, and delete the original file.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-original-file-name-is-returned-in-json-response\">Original file name is returned in Json response<\/h4>\n\n\n\n<p>Extend Media model, and override the getOriginalUrlAttribute function to return converted file.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-predicatable-path-may-allow-brute-forcing\">Predicatable path may allow brute-forcing<\/h4>\n\n\n\n<p>Extend the file_namer &amp; path_generator class to generate the non-predictable path. One thing to note is that you cannot generate random paths or filenames.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-rate-limiting\">Rate-Limiting<\/h4>\n\n\n\n<p>Add a new middleware using RateLimiter. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-summary\">Summary<\/h2>\n\n\n\n<p>To summarize, the default implementation and <a href=\"https:\/\/spatie.be\/docs\/laravel-medialibrary\/v9\/handling-uploads-with-media-library-pro\/processing-uploads-on-the-server\">documentation<\/a> of Laravel medialibrary-pro allow &#8220;Unauthenticated Arbitrary File Upload&#8221; which may lead to uploading a PHP web shell, and potentially take over the entire system. We have discussed some possible solutions, and some best practices when designing file upload functions for a web application. <\/p>\n\n\n\n<p><strong>Updated on 21 Mar 2022:<\/strong><\/p>\n\n\n\n<p>Laravel Media Library Pro teams released v.2.1.11 &amp; v1.17.12 which fixed all our reported issues, and we have validated the results. We would like to appreciate the effort and their commitment to security.<\/p>\n\n\n\n<p><strong>Updated on 19 Mar 2022:<\/strong><\/p>\n\n\n\n<p>Laravel Media Library Pro teams released v.2.1.8 which fix the issues, and we will work with them to validate the result and provide our feedback.<\/p>\n\n\n\n<p><strong>Updated on 18 Mar 2022:<\/strong><\/p>\n\n\n\n<p>We have received tons of replies regarding the file upload best practices and concerns. So, we are preparing additional materials including blog posts and youtube for this topic. Stay tuned!<\/p>\n\n\n\n<p><strong>Updated on 16 Mar 2022:<\/strong><\/p>\n\n\n\n<p>Laravel Media Library Pro teams are working on a fix, and the new changes introduce the following new features:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configurable upload file types using both mime types and file extension as validation<\/li>\n\n\n\n<li>Generate random paths using TemporaryUploadPathGenerator<\/li>\n\n\n\n<li>Recommend &#8220;use S3 for file uploads&#8221; as a best practice in documentation<\/li>\n<\/ul>\n\n\n\n<p><strong>Official CVE Link:<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-45040\">https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-45040<\/a><\/p>\n\n\n\n<p><strong>Full Disclosure Link:<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/seclists.org\/fulldisclosure\/2022\/Mar\/15\">https:\/\/seclists.org\/fulldisclosure\/2022\/Mar\/15<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>A vulnerability (CVE-2021-45040) was reported in Spatie&#8217;s Media Library Pro, a Laravel add-on, allowing remote attackers to upload executable files. This happened because the &#8216;Temporary Upload&#8217; function lacked authentication by default. Other issues include a lack of file name length protection and rate-limiting. Potential solutions include limiting executable file uploads, extending the TemporaryUpload model, and implementing rate limiting. The Laravel Media Library Pro team has since released fixes to address reported issues.<\/p>","protected":false},"author":2,"featured_media":6183,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[265,264,40,233,231,263,229],"tags":[225,260,226,228,17,234,232,262,230],"class_list":["post-6161","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cti","category-cyber-threat-intelligence","category-red-team","category-software-bill-of-materials","category-supply-chain-vulnerability","category-threat-intelligence","category-vulnerability-research","tag-cve-2021-45040","tag-cyber-threat-intelligence","tag-media-library-pro","tag-php","tag-red-team","tag-software-bill-of-materials","tag-supply-chain-vulnerability","tag-threat-intelligence","tag-vulnerability-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>CVE-2021-45040 - CyberSecThreat<\/title>\n<meta name=\"description\" content=\"Spatie media-library-pro through 1.17.10 &amp; 2.1.6 for Laravel allows remote attackers to upload executable files via the uploads route.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecthreat.com\/zh\/2022\/03\/14\/cve-2021-45040\/\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CVE-2021-45040\" \/>\n<meta property=\"og:description\" content=\"A vulnerability (CVE-2021-45040) was reported in Spatie&#039;s Media Library Pro, a Laravel add-on, allowing remote attackers to upload executable files. This happened because the &#039;Temporary Upload&#039; function lacked authentication by default. Other issues include a lack of file name length protection and rate-limiting. Potential solutions include limiting executable file uploads, extending the TemporaryUpload model, and implementing rate limiting. The Laravel Media Library Pro team has since released fixes to address reported issues.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecthreat.com\/zh\/2022\/03\/14\/cve-2021-45040\/\" \/>\n<meta property=\"og:site_name\" content=\"CyberSecThreat\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cybersecthreat\" \/>\n<meta property=\"article:published_time\" content=\"2022-03-13T16:53:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-01T05:46:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1619\" \/>\n\t<meta property=\"og:image:height\" content=\"738\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kelvin Yip\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:site\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005:\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kelvin Yip\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u4f30\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/\"},\"author\":{\"name\":\"Kelvin Yip\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\"},\"headline\":\"CVE-2021-45040\",\"datePublished\":\"2022-03-13T16:53:46+00:00\",\"dateModified\":\"2024-04-01T05:46:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/\"},\"wordCount\":957,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/CVE-2021-45040_webshell.png\",\"keywords\":[\"CVE-2021-45040\",\"Cyber Threat Intelligence\",\"Media Library Pro\",\"PHP\",\"Red Team\",\"Software Bill of Materials\",\"Supply Chain Vulnerability\",\"Threat Intelligence\",\"Vulnerability Research\"],\"articleSection\":[\"CTI\",\"Cyber Threat Intelligence\",\"Red Team\",\"Software Bill of Materials\",\"Supply Chain Vulnerability\",\"Threat Intelligence\",\"Vulnerability Research\"],\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/\",\"name\":\"CVE-2021-45040 - CyberSecThreat\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/CVE-2021-45040_webshell.png\",\"datePublished\":\"2022-03-13T16:53:46+00:00\",\"dateModified\":\"2024-04-01T05:46:45+00:00\",\"description\":\"Spatie media-library-pro through 1.17.10 & 2.1.6 for Laravel allows remote attackers to upload executable files via the uploads route.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/#breadcrumb\"},\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/CVE-2021-45040_webshell.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/CVE-2021-45040_webshell.png\",\"width\":1619,\"height\":738,\"caption\":\"CVE-2021-45040 webshell\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Vulnerability Research\",\"item\":\"https:\\\/\\\/cybersecthreat.com\\\/category\\\/vulnerability-research\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CVE-2021-45040\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"name\":\"CyberSecThreat\",\"description\":\"CyberSecurity Solutions\",\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cybersecthreat.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-TW\"},{\"@type\":[\"Organization\",\"Place\"],\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\",\"name\":\"CyberSecThreat Corporation Limited.\",\"alternateName\":\"CyberSecThreat\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"logo\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/#local-main-organization-logo\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/#local-main-organization-logo\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/cybersecthreat\",\"https:\\\/\\\/x.com\\\/cybersecthreat\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/cybersecthreat-corporation-limited\"],\"description\":\"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\\\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\\\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.\",\"legalName\":\"CyberSecThreat Corporation Limited.\",\"foundingDate\":\"2021-01-23\",\"address\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/#local-main-place-address\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":\"25.0600452\",\"longitude\":\"121.4594381\"},\"telephone\":[\"(+886) 02 - 77527628\"],\"openingHoursSpecification\":[{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\",\"Sunday\"],\"opens\":\"09:00\",\"closes\":\"18:00\"}],\"email\":\"info@cybersecthreat.com\",\"areaServed\":\"Taiwan\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\",\"name\":\"Kelvin Yip\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"caption\":\"Kelvin Yip\"},\"sameAs\":[\"https:\\\/\\\/cybersecthreat.com\"],\"knowsAbout\":[\"CyberSecurity\"],\"knowsLanguage\":[\"English\",\"Chinese\"],\"jobTitle\":\"Founder, CEO\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/zh\\\/author\\\/kelvinyip-m\\\/\"},{\"@type\":\"PostalAddress\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/#local-main-place-address\",\"streetAddress\":\"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)\",\"addressLocality\":\"New Taipei City\",\"postalCode\":\"242032\",\"addressRegion\":\"Taiwan\",\"addressCountry\":\"TW\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2022\\\/03\\\/14\\\/cve-2021-45040\\\/#local-main-organization-logo\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"width\":164,\"height\":164,\"caption\":\"CyberSecThreat Corporation Limited.\"}]}<\/script>\n<meta name=\"geo.placename\" content=\"New Taipei City\" \/>\n<meta name=\"geo.position\" content=\"25.0600452;121.4594381\" \/>\n<meta name=\"geo.region\" content=\"Taiwan\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"CVE-2021-45040 - CyberSecThreat","description":"Spatie media-library-pro through 1.17.10 & 2.1.6 for Laravel allows remote attackers to upload executable files via the uploads route.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecthreat.com\/zh\/2022\/03\/14\/cve-2021-45040\/","og_locale":"zh_TW","og_type":"article","og_title":"CVE-2021-45040","og_description":"A vulnerability (CVE-2021-45040) was reported in Spatie's Media Library Pro, a Laravel add-on, allowing remote attackers to upload executable files. This happened because the 'Temporary Upload' function lacked authentication by default. Other issues include a lack of file name length protection and rate-limiting. Potential solutions include limiting executable file uploads, extending the TemporaryUpload model, and implementing rate limiting. The Laravel Media Library Pro team has since released fixes to address reported issues.","og_url":"https:\/\/cybersecthreat.com\/zh\/2022\/03\/14\/cve-2021-45040\/","og_site_name":"CyberSecThreat","article_publisher":"https:\/\/www.facebook.com\/cybersecthreat","article_published_time":"2022-03-13T16:53:46+00:00","article_modified_time":"2024-04-01T05:46:45+00:00","og_image":[{"width":1619,"height":738,"url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell.png","type":"image\/png"}],"author":"Kelvin Yip","twitter_card":"summary_large_image","twitter_creator":"@cybersecthreat","twitter_site":"@cybersecthreat","twitter_misc":{"\u4f5c\u8005:":"Kelvin Yip","\u9810\u4f30\u95b1\u8b80\u6642\u9593":"5 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/#article","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/"},"author":{"name":"Kelvin Yip","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98"},"headline":"CVE-2021-45040","datePublished":"2022-03-13T16:53:46+00:00","dateModified":"2024-04-01T05:46:45+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/"},"wordCount":957,"commentCount":0,"publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"image":{"@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell.png","keywords":["CVE-2021-45040","Cyber Threat Intelligence","Media Library Pro","PHP","Red Team","Software Bill of Materials","Supply Chain Vulnerability","Threat Intelligence","Vulnerability Research"],"articleSection":["CTI","Cyber Threat Intelligence","Red Team","Software Bill of Materials","Supply Chain Vulnerability","Threat Intelligence","Vulnerability Research"],"inLanguage":"zh-TW","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/","url":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/","name":"CVE-2021-45040 - CyberSecThreat","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/#primaryimage"},"image":{"@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell.png","datePublished":"2022-03-13T16:53:46+00:00","dateModified":"2024-04-01T05:46:45+00:00","description":"Spatie media-library-pro through 1.17.10 & 2.1.6 for Laravel allows remote attackers to upload executable files via the uploads route.","breadcrumb":{"@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/"]}]},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/#primaryimage","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell.png","width":1619,"height":738,"caption":"CVE-2021-45040 webshell"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerability Research","item":"https:\/\/cybersecthreat.com\/category\/vulnerability-research\/"},{"@type":"ListItem","position":2,"name":"CVE-2021-45040"}]},{"@type":"WebSite","@id":"https:\/\/cybersecthreat.com\/#website","url":"https:\/\/cybersecthreat.com\/","name":"\u5947\u8cc7\u5b89","description":"\u7db2\u8def\u5b89\u5168\u65b9\u6848","publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecthreat.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":["Organization","Place"],"@id":"https:\/\/cybersecthreat.com\/#organization","name":"\u5947\u8cc7\u8a0a\u4fdd\u5b89\u53ca\u7db2\u7d61\u6709\u9650\u516c\u53f8","alternateName":"CyberSecThreat","url":"https:\/\/cybersecthreat.com\/","logo":{"@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/#local-main-organization-logo"},"image":{"@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/#local-main-organization-logo"},"sameAs":["https:\/\/www.facebook.com\/cybersecthreat","https:\/\/x.com\/cybersecthreat","https:\/\/www.linkedin.com\/company\/cybersecthreat-corporation-limited"],"description":"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.","legalName":"CyberSecThreat Corporation Limited.","foundingDate":"2021-01-23","address":{"@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/#local-main-place-address"},"geo":{"@type":"GeoCoordinates","latitude":"25.0600452","longitude":"121.4594381"},"telephone":["(+886) 02 - 77527628"],"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday","Saturday","Sunday"],"opens":"09:00","closes":"18:00"}],"email":"info@cybersecthreat.com","areaServed":"Taiwan"},{"@type":"Person","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98","name":"Kelvin Yip","image":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","caption":"Kelvin Yip"},"sameAs":["https:\/\/cybersecthreat.com"],"knowsAbout":["CyberSecurity"],"knowsLanguage":["English","Chinese"],"jobTitle":"Founder, CEO","url":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},{"@type":"PostalAddress","@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/#local-main-place-address","streetAddress":"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)","addressLocality":"New Taipei City","postalCode":"242032","addressRegion":"Taiwan","addressCountry":"TW"},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2022\/03\/14\/cve-2021-45040\/#local-main-organization-logo","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","width":164,"height":164,"caption":"CyberSecThreat Corporation Limited."}]},"geo.placename":"New Taipei City","geo.position":{"lat":"25.0600452","long":"121.4594381"},"geo.region":"Taiwan"},"taxonomy_info":{"category":[{"value":265,"label":"CTI"},{"value":264,"label":"Cyber Threat Intelligence"},{"value":40,"label":"Red Team"},{"value":233,"label":"Software Bill of Materials"},{"value":231,"label":"Supply Chain Vulnerability"},{"value":263,"label":"Threat Intelligence"},{"value":229,"label":"Vulnerability Research"}],"post_tag":[{"value":225,"label":"CVE-2021-45040"},{"value":260,"label":"Cyber Threat Intelligence"},{"value":226,"label":"Media Library Pro"},{"value":228,"label":"PHP"},{"value":17,"label":"Red Team"},{"value":234,"label":"Software Bill of Materials"},{"value":232,"label":"Supply Chain Vulnerability"},{"value":262,"label":"Threat Intelligence"},{"value":230,"label":"Vulnerability Research"}]},"featured_image_src_large":["https:\/\/cybersecthreat.com\/wp-content\/uploads\/2022\/03\/CVE-2021-45040_webshell-1024x467.png",1024,467,true],"author_info":{"display_name":"Kelvin Yip","author_link":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},"comment_info":0,"category_info":[{"term_id":265,"name":"CTI","slug":"cti","term_group":0,"term_taxonomy_id":265,"taxonomy":"category","description":"","parent":0,"count":10,"filter":"raw","cat_ID":265,"category_count":10,"category_description":"","cat_name":"CTI","category_nicename":"cti","category_parent":0},{"term_id":264,"name":"Cyber Threat Intelligence","slug":"cyber-threat-intelligence","term_group":0,"term_taxonomy_id":264,"taxonomy":"category","description":"","parent":0,"count":10,"filter":"raw","cat_ID":264,"category_count":10,"category_description":"","cat_name":"Cyber Threat Intelligence","category_nicename":"cyber-threat-intelligence","category_parent":0},{"term_id":40,"name":"Red Team","slug":"red-team","term_group":0,"term_taxonomy_id":40,"taxonomy":"category","description":"","parent":0,"count":6,"filter":"raw","cat_ID":40,"category_count":6,"category_description":"","cat_name":"Red Team","category_nicename":"red-team","category_parent":0},{"term_id":233,"name":"Software Bill of Materials","slug":"software-bill-of-materials","term_group":0,"term_taxonomy_id":233,"taxonomy":"category","description":"","parent":0,"count":1,"filter":"raw","cat_ID":233,"category_count":1,"category_description":"","cat_name":"Software Bill of Materials","category_nicename":"software-bill-of-materials","category_parent":0},{"term_id":231,"name":"Supply Chain Vulnerability","slug":"supply-chain-vulnerability","term_group":0,"term_taxonomy_id":231,"taxonomy":"category","description":"","parent":0,"count":1,"filter":"raw","cat_ID":231,"category_count":1,"category_description":"","cat_name":"Supply Chain Vulnerability","category_nicename":"supply-chain-vulnerability","category_parent":0},{"term_id":263,"name":"Threat Intelligence","slug":"threat-intelligence","term_group":0,"term_taxonomy_id":263,"taxonomy":"category","description":"","parent":0,"count":10,"filter":"raw","cat_ID":263,"category_count":10,"category_description":"","cat_name":"Threat Intelligence","category_nicename":"threat-intelligence","category_parent":0},{"term_id":229,"name":"Vulnerability Research","slug":"vulnerability-research","term_group":0,"term_taxonomy_id":229,"taxonomy":"category","description":"","parent":0,"count":1,"filter":"raw","cat_ID":229,"category_count":1,"category_description":"","cat_name":"Vulnerability Research","category_nicename":"vulnerability-research","category_parent":0}],"tag_info":[{"term_id":225,"name":"CVE-2021-45040","slug":"cve-2021-45040","term_group":0,"term_taxonomy_id":225,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":260,"name":"Cyber Threat Intelligence","slug":"cyber-threat-intelligence","term_group":0,"term_taxonomy_id":260,"taxonomy":"post_tag","description":"","parent":0,"count":10,"filter":"raw"},{"term_id":226,"name":"Media Library Pro","slug":"media-library-pro","term_group":0,"term_taxonomy_id":226,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":228,"name":"PHP","slug":"php","term_group":0,"term_taxonomy_id":228,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":17,"name":"Red Team","slug":"red-team","term_group":0,"term_taxonomy_id":17,"taxonomy":"post_tag","description":"","parent":0,"count":6,"filter":"raw"},{"term_id":234,"name":"Software Bill of Materials","slug":"software-bill-of-materials","term_group":0,"term_taxonomy_id":234,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":232,"name":"Supply Chain Vulnerability","slug":"supply-chain-vulnerability","term_group":0,"term_taxonomy_id":232,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":262,"name":"Threat Intelligence","slug":"threat-intelligence","term_group":0,"term_taxonomy_id":262,"taxonomy":"post_tag","description":"","parent":0,"count":10,"filter":"raw"},{"term_id":230,"name":"Vulnerability Research","slug":"vulnerability-research","term_group":0,"term_taxonomy_id":230,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/6161","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/comments?post=6161"}],"version-history":[{"count":0,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/6161\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media\/6183"}],"wp:attachment":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media?parent=6161"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/categories?post=6161"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/tags?post=6161"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}