Security researchers Fabian Funder and Philipp Adelsberger at SBA Research have discovered two reflected cross-site scripting (XSS) vulnerabilities in the Laravel framework. These vulnerabilities, tracked as CVE-2024-13918 and CVE-2024-13919, affect Laravel versions between 11.9.0 and 11.35.1 and could allow attackers to execute arbitrary JavaScript code in a user’s browser.
Reflected XSS vulnerabilities occur when an attacker injects malicious code into a website that is then reflected back to the user’s browser. If the user clicks on a link containing the malicious code, their browser will execute the code, potentially allowing the attacker to steal cookies, session tokens, or other sensitive information.
In the case of Laravel, the vulnerabilities stem from improper encoding of request parameters and route parameters in the debug-mode error page. When the debug mode is enabled, Laravel displays detailed error messages that include the values of request parameters and route parameters. If these values are not properly encoded, an attacker can inject malicious code into them, which will be reflected back to the user’s browser.
“The values in the URL parameters and in the request body are embedded in the error page without proper encoding,” the report explains.
To exploit these vulnerabilities, an attacker would need to trick a user into clicking on a malicious link. The link would contain a specially crafted payload that would inject JavaScript code into the vulnerable parameters. When the user clicks on the link, their browser would execute the code, potentially allowing the attacker to take control of their account or steal their data.
The researchers have reported these vulnerabilities to Laravel, and a patch has been released in version 11.36.0. Users of Laravel are urged to upgrade to the latest version to mitigate the risk of these vulnerabilities. If upgrading is not possible, users can disable debug mode by setting APP_DEBUG=false in their configuration.
