CVE-2024-13918 — Cross-site Scripting in Framework

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

1.0%

top 23.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Laravel Framework Laravel Holdings INC Laravel Framework Debian Php-laravel-framework

Timeline

PublishedMar 10

Description

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDlaravel/framework11.9.0 — 11.36.0

▶Packagistlaravel/framework11.9.0 — 11.36.0

▶CVEListV5laravel_holdings_inc/laravel_framework11.9.0 — 11.35.1

▶debiandebian/php-laravel-framework

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Laravel framework susceptible to reflected cross-site scripting↗2025-03-10

▶

GHSA

Laravel framework susceptible to reflected cross-site scripting↗2025-03-10

▶

📋Vendor Advisories

Debian

CVE-2024-13918: php-laravel-framework - The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to ref...↗2024

▶