CVE-2020-24940 — Improper Input Validation in Laravel

CWE-20 — Improper Input Validation4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 50.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Laravel Illuminate Database Debian Php-laravel-framework

Timeline

PublishedSep 4

Latest updateMay 24

Description

An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database in some situations in which table names are stripped during a mass assignment.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDlaravel/laravel7.0.0 — 7.23.2+1

▶Packagistilluminate/database6.0.0 — 6.18.34+2

▶debiandebian/php-laravel-framework

🔴Vulnerability Details

GHSA

Guard bypass in Eloquent models affecting Laravel illuminate database component↗2022-05-24

▶

OSV

Guard bypass in Eloquent models affecting Laravel illuminate database component↗2022-05-24

▶

📋Vendor Advisories

Debian

CVE-2020-24940: php-laravel-framework - An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalid...↗2020

▶