CVE-2024-13919

State: PUBLISHED · Published: 2025-03-10 · Updated: 2025-03-10 · Assigner: sba-research

Description

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page.

CWE

CWE-79 — CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Affected

Laravel Holdings Inc. / Laravel Framework — v=11.9.0 ≤11.35.1 [affected]

CVSS

3.1 score=8 severity=HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

References

https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-02_Laravel_Reflected_XSS_via_Route_Parameter_in_Debug-Mode_Error_Page third-party-advisory
https://github.com/laravel/framework/pull/53869 patch
https://github.com/laravel/framework/releases/tag/v11.36.0 release-notes

Source

cvelistV5-main/cves/2024/13xxx/CVE-2024-13919.json