Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0372
In file app\Http\Controllers\V1\Admin\Settings\CompanyController.php
public function uploadAvatar(Request $request){
//...
$data = json_decode($request->avatar);
$user->addMediaFromBase64($data->data)
->usingFileName($data->name)
->toMediaCollection('admin_avatar');
}
In file vendor\spatie\laravel-medialibrary\src\InteractsWithMedia.php
public function addMediaFromBase64(string $base64data, ...$allowedMimeTypes): FileAdder
{
//...
$tmpFile = tempnam(sys_get_temp_dir(), 'media-library');
file_put_contents($tmpFile, $binaryData);
}