CVE-2017-9303 — Improper Input Validation in Framework

CWE-20 — Improper Input Validation4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 57.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Illuminate Auth Laravel Framework Laravel +1 more

Timeline

PublishedMay 29

Latest updateMay 17

Description

Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶Packagistlaravel/laravel5.4.0 — 5.4.22

▶Packagistlaravel/framework5.4.0 — 5.4.22+1

▶NVDlaravel/laravel5.4.0

▶debiandebian/php-laravel-framework

▶Packagistilluminate/auth5.4.0 — 5.4.22+1

🔴Vulnerability Details

OSV

Laravel does not properly constrain the host portion of a password-reset URL↗2022-05-17

▶

GHSA

Laravel does not properly constrain the host portion of a password-reset URL↗2022-05-17

▶

📋Vendor Advisories

Debian

CVE-2017-9303: php-laravel-framework - Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a pa...↗2017

▶