CVE-2024-13918

NameCVE-2024-13918
DescriptionThe Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the debug-mode error page.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-laravel-framework (PTS)bullseye6.20.14+dfsg-2+deb11u1vulnerable
bullseye (security)6.20.14+dfsg-2+deb11u2vulnerable
bookworm8.83.26+dfsg-2vulnerable
sid, trixie10.48.25+dfsg-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-laravel-frameworksourceexperimental11.44.0-1
php-laravel-frameworksource(unstable)(unfixed)

Notes

https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page
https://github.com/laravel/framework/commit/45287fb2a91c69bb1c110539b9b7341faf5aee33 (v11.36.0)
Search for package or bug name: Reporting problems