CVE-2024-13919
Published: 10 March 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2024-13919 is a reflected cross-site scripting (XSS) vulnerability affecting the Laravel framework in versions 11.9.0 through 11.35.1. The issue stems from improper encoding of route parameters when displayed on the debug-mode error page, allowing malicious scripts to be injected and executed. It carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) and maps to CWE-79.
An unauthenticated remote attacker can exploit this vulnerability by tricking a user into accessing a specially crafted URL that triggers an error page in debug mode. The unencoded route parameter reflects the attacker's payload, enabling script execution in the victim's browser context with high confidentiality and integrity impacts, such as session hijacking or data theft, though it requires user interaction and high attack complexity.
Mitigation involves upgrading to Laravel framework version 11.36.0 or later, where the fix is implemented via pull request #53869 on GitHub. Further details on the vulnerability and remediation are provided in the SBA advisory at sbaresearch GitHub and the oss-security mailing list announcement.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS via crafted URL enables spearphishing link delivery (T1566.002) and facilitates browser session hijacking or cookie theft for data/session impacts (T1185).