Medium
resolved
resolved
Information disclosure due to debug mode enabled at Laravel instance https://mpos.mtn.co.sz/
Bug reported by ꦄꦤ꧀ꦢꦿꦶ was disclosed at February 23, 2025, 9:03 am | Information Disclosure
The Laravel framework contained a vulnerability known as CVE-2021-3129, which allowed remote code execution due to unsafe usage of PHP in the Ignition debug module. This vulnerability was relatively easy to exploit and did not require user authentication, resulting in a high CVSS score of 9.8. The vulnerability was triggered by sending a crafted POST request to the `/_ignition/execute-solution` endpoint, which allowed an attacker to execute arbitrary code on the target system.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
