Laravel does not properly constrain the host portion of a password-reset URL

🗓️ 17 May 2022 02:42:21Reported by GitHub Advisory DatabaseType

Laravel 5.4.x allows unconstrained host for password-reset UR

Reporter	Title	Published	Views	Family All 11
CNVD	Laravel Security Bypass Vulnerability	1 Jun 201700:00	–	cnvd
CVE	CVE-2017-9303	29 May 201722:00	–	cve
Cvelist	CVE-2017-9303	29 May 201722:00	–	cvelist
Debian CVE	CVE-2017-9303	29 May 201722:00	–	debiancve
EUVD	EUVD-2022-5147	3 Oct 202520:07	–	euvd
Friends Of PHP	Password reset phishing vulnerability	1 Jan 197000:00	–	friendsofphp
Friends Of PHP	Password reset phishing vulnerability	1 Jan 197000:00	–	friendsofphp
NVD	CVE-2017-9303	29 May 201722:29	–	nvd
OSV	GHSA-RC8X-JRRC-FRFV Laravel does not properly constrain the host portion of a password-reset URL	17 May 202202:42	–	osv
Prion	Default credentials	29 May 201722:29	–	prion

Vulners

Node

laravel frameworkRange5.4.0–5.4.22composer

laravel frameworkRange5.3.0–5.3.31composer

illuminate authRange5.4.0–5.4.22composer

illuminate authRange5.3.0–5.3.31composer

laravel laravelRange5.4.0–5.4.22composer

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2017-9303
laravel-news	www.laravel-news.com/laravel-5-4-22-is-now-released-and-includes-a-security-fix
securityfocus	www.securityfocus.com/bid/98776
github	www.github.com/laravel/framework/commit/cef10551820530632a86fa6f1306fee95c5cac43
github	www.github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/auth/CVE-2017-9303.yaml
github	www.github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2017-9303.yaml
laravel	www.laravel.com/docs/5.4/releases
web	www.web.archive.org/web/20171021180417/http://www.securityfocus.com/bid/98776
github	www.github.com/advisories/GHSA-rc8x-jrrc-frfv

25 Apr 2024 22:55Current

6.9Medium risk

Vulners AI Score6.9

CVSS 25.8

CVSS 36.1

EPSS0.00203