cbcvebase.
CVE-2021-21263
published 2021-01-19

CVE-2021-21263: Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies…

PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
1.60%
72.8th percentile
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.

Affected

13 ranges
VendorProductVersion rangeFixed in
debianphp-laravel-framework< php-laravel-framework 6.20.11+dfsg-1 (bookworm)php-laravel-framework 6.20.11+dfsg-1 (bookworm)
illuminatedatabase>= 6.0.0 < 6.20.126.20.12
illuminatedatabase>= 7.0.0 < 7.30.37.30.3
illuminatedatabase>= 8.0.0 < 8.22.18.22.1
laravelframework
laravelframework
laravelframework
laravelframework>= 6.0.0 < 6.20.116.20.11
laravelframework>= 7.0.0 < 7.30.27.30.2
laravelframework>= 8.0.0 < 8.22.18.22.1
laravellaravel>= 6.0.0 < 6.20.116.20.11
laravellaravel>= 7.0.0 < 7.30.27.30.2
laravellaravel>= 8.0.0 < 8.22.18.22.1

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.3MEDIUM
vendor_debian7.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.