CVE-2024-13918

March 10, 2025, 5:15 p.m.

8.0
High

Description

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.

Product(s) Impacted

Product Versions
Laravel
  • 11.9.0 - 11.35.1

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/laravel/framework/pull/53869
https://github.com/laravel/framework/releases/tag/v11.36.0
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page
http://www.openwall.com/lists/oss-security/2025/03/10/3

Tags

CWE-79
1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a
2025-03-10
CVE-2024-13918

CVSS Score

8.0 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE
    • View Vector String

    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Date

  • Published: March 10, 2025, 10:15 a.m.
  • Last Modified: March 10, 2025, 5:15 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.