Reflected Cross-Site Scripting Vulnerability in Laravel Framework
CVE-2024-13918

6.1MEDIUM

Key Information:

Vendor: Laravel Holdings Inc.
Status: Laravel Framework
Vendor: CVE Published:; 10 March 2025

Badges

📈 Trended📈 Score: 1,460📰 News Worthy

What is CVE-2024-13918?

CVE-2024-13918 is a reflected cross-site scripting (XSS) vulnerability found in the Laravel Framework, a popular PHP framework widely used for web application development. This vulnerability affects Laravel Framework versions from 11.9.0 to 11.35.1, primarily due to improper encoding of request parameters in debug-mode error pages. If exploited, this vulnerability can allow attackers to inject malicious scripts into web pages seen by users, potentially leading to unauthorized actions or information theft, which poses a significant security risk for organizations relying on Laravel for their applications.

Technical Details

The vulnerability arises specifically from how the Laravel Framework handles request parameters when displaying error messages in debug mode. In this state, the application does not sufficiently encode these parameters, making it possible for adversaries to inject and execute JavaScript code in a user's browser who views the debug error page. The improper handling is limited to debug mode and affects only the specific versions mentioned, requiring organizations to evaluate their usage and configurations for potential vulnerabilities.

Potential impact of CVE-2024-13918

Unauthorized Script Execution: An attacker can exploit this vulnerability to execute arbitrary scripts in the context of a user's session. This could lead to actions such as session hijacking, where the attacker could impersonate the user by stealing session cookies.
Data Exposure: If attackers successfully inject scripts, they could potentially capture sensitive user data entered into forms on the website, leading to significant privacy violations and data breaches.
Reputation Damage: Organizations affected by this vulnerability might face reputational harm, particularly if user data is misused or if end-users experience harmful impacts due to exploitations, leading to loss of trust and potential revenue losses.

Affected Version(s)

Laravel Framework 11.9.0 <= 11.35.1

News Articles

Seclists.org

CVE-2024-13918

oss-sec: [SBA-ADV-20241209-01] CVE-2024-13918: Laravel 11.9.0-11.35.1 Reflected XSS via Request Parameter in Debug-Mode Error Page

oss-sec mailing list archives [SBA-ADV-20241209-01] CVE-2024-13918: Laravel 11.9.0-11.35.1 Reflected XSS via Request Parameter in Debug-Mode Error Page From: SBA Research Security Advisory <advisory ()...

CybersecurityNews

CVE-2024-13918

Laravel Framework Vulnerability Let Attackers Execute Malicious Java Script

A critical security vulnerability (CVE-2024-13918) in the Laravel framework allows attackers to execute arbitrary JavaScript code on websites running affected versions of the popular PHP framework.

References

https://github.com/sbaresearch/advisories/tree/public/202...

third-party-advisory

https://github.com/laravel/framework/pull/53869

patch

https://github.com/laravel/framework/releases/tag/v11.36.0

release-notes

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📈
Vulnerability started trending
Mar 19, 2025
📰
First article discovered by CybersecurityNews
Mar 10, 2025
Vulnerability published
Mar 10, 2025
Vulnerability Reserved
Mar 4, 2025

Credit

Fabian Funder (SBA Research)

Philipp Adelsberger (SBA Research)

Jeremy Angele

Laravel Holdings Inc.