cbcvebase.
CVE-2021-43808
published 2021-12-08

CVE-2021-43808: Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in…

PriorityP424medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.80%
51.9th percentile
Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent template contains an exploitable HTML structure an XSS vulnerability can be exposed. This vulnerability has been patched in versions 8.75.0, 7.30.6, and 6.20.42 by determining the parent placeholder at runtime and using a random hash that is unique to each request.

Affected

12 ranges
VendorProductVersion rangeFixed in
debianphp-laravel-framework< php-laravel-framework 6.20.14+dfsg-3 (bookworm)php-laravel-framework 6.20.14+dfsg-3 (bookworm)
illuminateview>= 0 < 6.20.426.20.42
illuminateview>= 7.0.0 < 7.30.67.30.6
illuminateview>= 8.0.0 < 8.75.08.75.0
laravelframework< 6.20.426.20.42
laravelframework
laravelframework
laravelframework>= 0 < 6.20.426.20.42
laravelframework>= 7.0.0 < 7.30.67.30.6
laravelframework>= 7.0.0 < 7.30.67.30.6
laravelframework>= 8.0.0 < 8.75.08.75.0
laravelframework>= 8.0.0 < 8.75.08.75.0

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.