CVE-2017-9303
MEDIUMLaravel 5.4.x < 5.4.22 - Improper Input Validation in Password Reset URL Host
Title source: llmDescription
Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://laravel-news.com/laravel-5-4-22-is-now-released-and-includes-a-security-fix
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/98776
Scores
CVSS v3
6.1
EPSS
0.0096
EPSS Percentile
57.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-20
Status
published
Products (4)
illuminate/auth
5.3.0Packagist
laravel/framework
5.3.0Packagist
laravel/laravel
5.4.0
laravel/laravel
5.4.0 - 5.4.22Packagist
Published
May 29, 2017
Tracked Since
Feb 18, 2026