Debian Php-Laravel-Framework vulnerabilities

CVE-2025-27515 [MEDIUM] CVE-2025-27515: php-laravel-framework - Laravel is a web application framework. When using wildcard validation to valida... Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 10.48.29+dfsg-1) sid: resolv

CVE-2024-52301 [HIGH] CVE-2024-52301: php-laravel-framework - Laravel is a web application framework. When the register_argc_argv php directiv... Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignor

CVE-2024-13918 [HIGH] CVE-2024-13918: php-laravel-framework - The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to ref... The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2024-13919 [HIGH] CVE-2024-13919: php-laravel-framework - The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to ref... The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route parameters in the debug-mode error page. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2021-43617 [CRITICAL] CVE-2021-43617: php-laravel-framework - Laravel Framework through 8.70.2 does not sufficiently block the upload of execu... Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports conce

CVE-2021-21263 [HIGH] CVE-2021-21263: php-laravel-framework - Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30... Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its ex

CVE-2021-43808 [MEDIUM] CVE-2021-43808: php-laravel-framework - Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6... Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeh

CVE-2020-24941 [HIGH] CVE-2020-24941: php-laravel-framework - An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $gu... An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2020-19316 [HIGH] CVE-2020-19316: php-laravel-framework - OS Command injection vulnerability in function link in Filesystem.php in Laravel... OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2020-24940 [HIGH] CVE-2020-24940: php-laravel-framework - An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalid... An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database in some situations in which table names are stripped during a mass assignment. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2018-15133 [HIGH] CVE-2018-15133: php-laravel-framework - In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execut... In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the appli

CVE-2018-6330 [HIGH] CVE-2018-6330: php-laravel-framework - Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_us... Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2017-16894 [HIGH] CVE-2017-16894: php-laravel-framework - In Laravel framework through 5.5.21, remote attackers can obtain sensitive infor... In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restr

CVE-2017-14775 [MEDIUM] CVE-2017-14775: php-laravel-framework - Laravel before 5.5.10 mishandles the remember_me token verification process beca... Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2017-9303 [MEDIUM] CVE-2017-9303: php-laravel-framework - Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a pa... Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved