CVE-2024-13918
Published: 10 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2024-13918 is a reflected cross-site scripting vulnerability (CWE-79) affecting the Laravel framework in versions 11.9.0 through 11.35.1. The issue arises from improper encoding of request parameters when displayed on the debug-mode error page, enabling malicious scripts to be reflected back to users. It carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) and was published on 2025-03-10.
Attackers can exploit this over the network without requiring privileges, though it demands high complexity and user interaction, such as clicking a crafted link. By inducing an error in debug mode, an attacker can inject and reflect XSS payloads via request parameters, achieving high impacts on confidentiality and integrity with a changed scope, potentially allowing session hijacking or arbitrary script execution in the victim's browser.
Patches are available in Laravel framework version 11.36.0, addressing the flaw through pull request #53869 on GitHub. Further mitigation details appear in the SBA Research advisory (SBA-ADV-20241209-01) and the oss-security mailing list discussion from March 10, 2025.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS via crafted link enables user execution of malicious link (T1204.001) and directly facilitates browser session hijacking through arbitrary script execution (T1185).