CVE-2017-9303

MEDIUM

Laravel 5.4.x < 5.4.22 - Improper Input Validation in Password Reset URL Host

Title source: llm
STIX 2.1

Description

Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98776

Scores

CVSS v3 6.1
EPSS 0.0096
EPSS Percentile 57.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-20
Status published
Products (4)
illuminate/auth 5.3.0Packagist
laravel/framework 5.3.0Packagist
laravel/laravel 5.4.0
laravel/laravel 5.4.0 - 5.4.22Packagist
Published May 29, 2017
Tracked Since Feb 18, 2026