CVE-2024-21504
published 2024-03-19CVE-2024-21504: Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An…
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.52%
40.0th percentile
Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An attacker can inject HTML code in the context of the user's browser session by crafting a malicious link and convincing the user to click on it.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| laravel | livewire | 3.3.5 – 3.4.9 | — |
| livewire | livewire | >= 3.3.5 < 3.4.9 | 3.4.9 |
| livewire | livewire | >= 3.3.5 < 3.4.9 | 3.4.9 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-site Scripting in livewire/livewire
osv·2024-03-19
CVE-2024-21504 [MEDIUM] Cross-site Scripting in livewire/livewire
Cross-site Scripting in livewire/livewire
Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An attacker can inject HTML code in the context of the user's browser session by crafting a malicious link and convincing the user to click on it.
GHSA
Cross-site Scripting in livewire/livewire
ghsa·2024-03-19
CVE-2024-21504 [MEDIUM] CWE-79 Cross-site Scripting in livewire/livewire
Cross-site Scripting in livewire/livewire
Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An attacker can inject HTML code in the context of the user's browser session by crafting a malicious link and convincing the user to click on it.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/livewire/livewire/commit/c65b3f0798ab2c9338213ede3588c3cdf4e6fcc0https://github.com/livewire/livewire/pull/8117https://github.com/livewire/livewire/releases/tag/v3.4.9https://security.snyk.io/vuln/SNYK-PHP-LIVEWIRELIVEWIRE-6446222https://github.com/livewire/livewire/commit/c65b3f0798ab2c9338213ede3588c3cdf4e6fcc0https://github.com/livewire/livewire/pull/8117https://github.com/livewire/livewire/releases/tag/v3.4.9https://security.snyk.io/vuln/SNYK-PHP-LIVEWIRELIVEWIRE-6446222
2024-03-19
Published