Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <904c76c05004415e89565bf3288628c5@sba-research.org>
Date: Mon, 10 Mar 2025 10:40:23 +0000
From: SBA Research Security Advisory <advisory@...-research.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: [SBA-ADV-20241209-02] CVE-2024-13919: Laravel 11.9.0-11.35.1
 Reflected XSS via Route Parameter in Debug-Mode Error Page

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# Laravel Reflected XSS via Route Parameter in Debug-Mode Error Page #

Link: https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-02_Laravel_Reflected_XSS_via_Route_Parameter_in_Debug-Mode_Error_Page

## Vulnerability Overview ##

The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible
to reflected cross-site scripting due to an improper encoding of route
parameters in the debug-mode error page.

* **Identifier**            : SBA-ADV-20241209-02
* **Type of Vulnerability** : Cross-Site Scripting
* **Software/Product Name** : [Laravel Framework](https://github.com/laravel/framework)
* **Vendor**                : [Laravel Holdings Inc.](https://laravel.com/)
* **Affected Versions**     : between 11.9.0 and 11.35.1
* **Fixed in Version**      : 11.36.0
* **CVE ID**                : CVE-2024-13919
* **CVSS Vector**           : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
* **CVSS Base Score**       : 8.0 (High)

## Vendor Description ##

> Laravel is a web application framework with expressive, elegant syntax.

Source: <https://github.com/laravel/framework/blob/11.x/README.md>

## Impact ##

This vulnerability allows attackers to execute JavaScript code in a user's
browser within the origin of the affected web application. The user needs to
access the attacker provided link and the web application needs to be in
debug-mode (`APP_DEBUG=true`).

## Vulnerability Description ##

When the debug mode is active via `APP_DEBUG=true` and the web application
returns an error (HTTP status 5XX), an error page is returned. This page
contains information about the request that triggered the error. The values
in the URL path are embedded in the error page without proper encoding.

The following code snippet shows the sink. The templating engine deactivates
HTML-encoding for data passed via `{!! !!}`.

```html
<div class="mt-1 rounded border dark:border-gray-800">
    <div class="flex items-center">
        <span
            class="min-w-0 flex-grow"
            style="[…]"
        >
            <pre class="scrollbar-hidden mx-5 my-3 overflow-y-hidden text-xs lg:text-sm"><code class="overflow-y-hidden scrollbar-hidden overflow-x-scroll scrollbar-hidden-x">{!! $routeParametersContext !!}</code></pre>
        </span>
    </div>
</div>
```

## Proof of Concept ##

### Prerequisites ###

First, let us make sure that the debug mode is activated ensuring that
`APP_DEBUG=true` is set in the `.env` file. Second, add an endpoint that
produces an error, e.g., division by zero.

```php
<?php

use Illuminate\Support\Facades\Route;

Route::get('/poc-route/{id}', function (string $id) {
    return 0/0;
});
```

### Exploitation ###

In this case the application is available under the origin
`http://localhost:8000`.

By clicking the link
`http://localhost:8000/poc-route/%3Cimg%20src=''%20onerror='alert(1)'%3E` the
`poc-route` function is executed, a division by zero exception is thrown,
causing the webserver to respond with a `500 Internal Server Error`. An error
page is generated containing the following HTML code.

```html
<div class="flex items-center">
  <span class="min-w-0 flex-grow" style="[…]">
    <pre class="[…]">
      <code class="[…]">{
"id": "<img src="" onerror="alert(1)">"
}</code>
    </pre>
  </span>
</div>
```

As the `id` value is not embedded with proper encoding, the browser
interprets it as HTML, executes the injected JavaScript code and, therefore,
opens an alert.

## Recommended Countermeasures ##

If possible upgrade to the fixed version 11.36.0 or above.
If you are unable to upgrade, ensure that the application does not run in
debug-mode by setting `APP_DEBUG=false` in your configuration.

## Timeline ##

* `2024-11-28` Identified the vulnerability in version 11.34.1
* `2024-12-09` Initial contact attempt and disclosure of vulnerability to
               Laravel's security contact
* `2024-12-13` Security patch was merged
* `2024-12-14` Contacted Jeremy Angele (@angelej) who independently
               discovered the vulnerability and submitted the patch to fix it
* `2024-12-17` Laravel project releases fixed version 11.36.0
* `2025-02-05` Second attempt to contact Laravel's security contact
* `2025-03-10` No reaction from Laravel's security contact to all previous
               contact attempts
* `2025-03-10` SBA Research assigned CVE-2024-13919
* `2025-03-10` Public disclosure

## References ##

* Security Patch: <https://github.com/laravel/framework/pull/53869>

## Credits ##

* Fabian Funder ([SBA Research](https://www.sba-research.org/))
* Philipp Adelsberger ([SBA Research](https://www.sba-research.org/))
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmfOwZEACgkQ+7iGL1j3
dbJ8vw//QrtOvJs6Jr0ecibH9/yQamfwHOCV+iNredryHrkzKiqQbscxOtgUQS/i
iCKKhK6d0YMn64ZxWCl+DO5sltAtv3ocPdL5f16estJPhKGdo9C944M5AEEO/HvP
+gRPExsbhRvrHIq2yCoQmEtbNQw7PezUORIyneWxVpUQW5zxougON5MftSxWsc/d
aKsCP5rxd2CatyPiNU77S+zXuVwg/PFiz0HUPAD2fvO0I/MYHbevnJOXsCeeWCPv
dO2NRbzK+lQKiK53Rh4BS8xwY1Zhb5CylOVcGan/v7fmt/A/Ia97qH2IVgzXXTXQ
twvEuZiSQyEfM5oDZNfSLhWgvcQWryS/KVc2/fqb7m1vUxtP+W2oexfXAXQID7Gh
/BOTBZj+4ZU3efToU8TiS0u6U609k8s2cYCVwjrYgubxDH179YkzN8YymOhJ6hea
OOOV9rDSaGCvdfM7C+3eBAKJP1bCTUMsQlDy3eu8y0Zq9eOtv3+KoJgEW11g0J5G
7t+1xxxISZOIWwiD7mbBIWiG1Q0B9ZpOwYbd6d5mgIpQoDxJU2Kzw95uMQ6Fu8IC
8U2q/fZ+Dw3j1fPwaSbLyvYV073zQ45g8aC4M9CXuiwdG/wjO3ZSLY1lqzTDz5ZP
uoSGRN3dvfsq8XHwkUA/s1pPmqLzeGl58mpBM8zJUuczR9JhSso=
=8WPA
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.