Cross-Site Request Forgery Vulnerability in Livewire by Laravel
CVE-2024-22859

8.8HIGH

Key Information:

Vendor: Laravel
Status: Livewire
Vendor: CVE Published:; 1 February 2024

What is CVE-2024-22859?

A Cross-Site Request Forgery (CSRF) vulnerability exists in Livewire prior to version 3.0.4, enabling remote attackers to leverage the getCsrfToken function. While the vendor disputes the security implications citing a previous commit as a fix for a usability issue, the potential for arbitrary code execution raises significant concerns for users relying on this component.

References

https://github.com/livewire/livewire/commit/5d887316f2aaf...

https://github.com/github/advisory-database/pull/3490

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 1, 2024
Vulnerability Reserved
Jan 11, 2024