Description
Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent template contains an exploitable HTML structure an XSS vulnerability can be exposed. This vulnerability has been patched in versions 8.75.0, 7.30.6, and 6.20.42 by determining the parent placeholder at runtime and using a random hash that is unique to each request.
References (8)
Core 8
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/laravel/framework/security/advisories/GHSA-66hf-2p6w-jqfw
Patch, Third Party Advisory x_refsource_misc
https://github.com/laravel/framework/pull/39906
Patch, Third Party Advisory x_refsource_misc
https://github.com/laravel/framework/pull/39908
Patch, Third Party Advisory x_refsource_misc
https://github.com/laravel/framework/pull/39909
Patch, Third Party Advisory x_refsource_misc
https://github.com/laravel/framework/commit/b8174169b1807f36de1837751599e2828ceddb9b
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/laravel/framework/releases/tag/v6.20.42
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/laravel/framework/releases/tag/v7.30.6
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/laravel/framework/releases/tag/v8.75.0
Scores
CVSS v3
5.3
EPSS
0.0036
EPSS Percentile
58.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-327
CWE-79
Status
published
Products (3)
illuminate/view
0 - 6.20.42Packagist
laravel/framework
< 6.20.42
laravel/framework
0 - 6.20.42Packagist
Published
Dec 08, 2021
Tracked Since
Feb 18, 2026