Laravel Cross-site Scripting (XSS) vulnerability in blade templating

Laravel 7.1.2 addresses a possible XSS related attack vector in the Laravel 7.x Blade Component tag attributes when users are allowed to dictate the value of attributes. All Laravel 7.x users are encouraged to upgrade as soon as possible.

Published: May 15, 2024
Updated: Jun 27, 2024
GHSA: GHSA-vr95-p7q6-8m9q
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
laravel / framework	7.0.0	7.1.2

https://blog.laravel.com/security-laravel-712-released
https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2020-03-13-1.yaml
https://github.com/laravel/framework/pull/31945
https://github.com/laravel/framework/releases/tag/v7.1.2

Vulnerability Database

Laravel Cross-site Scripting (XSS) vulnerability in blade templating