Laravel Laravel

stack.watch can email you when security vulnerabilities are reported in any Laravel product. You can add multiple products that you use with Laravel to create your own personal software stack watcher.

Products by Laravel Sorted by Most Security Vulnerabilities since 2018

Laravel4 vulnerabilities
PHP Web Application Development Framework

Laravel Framework2 vulnerabilities

@laravelphp Tweets

Forge: did you know you can easily filter your servers by tags that you assign them? This is a great way to filter… https://t.co/Gkyc2YV6X1
Fri Mar 05 16:27:43 +0000 2021

Vapor: our entire "Learn Vapor" video series is now available! �� @enunomaduro will walk you through every aspect o… https://t.co/oo10DWaP5I
Fri Mar 05 16:19:40 +0000 2021

RT @taylorotwell: Make sure to get your tickets to @LaraconOnline! ��️ ... going to be a great time! https://t.co/xzNfRMqTCf
Thu Mar 04 15:06:17 +0000 2021

RT @enunomaduro: Learn Laravel Vapor #19: Monitoring. �� In this episode, we will see how to monitor your @laravelphp project using alarms…
Tue Mar 02 19:46:31 +0000 2021

By the Year

In 2021 there have been 1 vulnerability in Laravel with an average score of 5.3 out of ten. Last year Laravel had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Laravel in 2021 could surpass last years number. Last year, the average CVE base score was greater by 2.20

Year Vulnerabilities Average Score
2021 1 5.30
2020 2 7.50
2019 2 9.30
2018 1 8.10

It may take a day or so for new Laravel vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Laravel Security Vulnerabilities

Laravel is a web application framework

CVE-2021-21263 5.3 - Medium - January 19, 2021

Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.

CVE-2021-21263 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Downstream Injection

An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2

CVE-2020-24940 7.5 - High - September 04, 2020

An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database in some situations in which table names are stripped during a mass assignment.

CVE-2020-24940 is exploitable with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Improper Input Validation

An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0

CVE-2020-24941 7.5 - High - September 04, 2020

An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.

CVE-2020-24941 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Improper Input Validation

Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php

CVE-2018-6330 8.8 - High - March 28, 2019

Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters.

CVE-2018-6330 is exploitable with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The Illuminate component of Laravel Framework 5.7.x has a deserialization vulnerability

CVE-2019-9081 9.8 - Critical - February 24, 2019

The Illuminate component of Laravel Framework 5.7.x has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the PendingCommand class in PendingCommand.php.

CVE-2019-9081 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulneraility has a high impact to the confidentiality, integrity and availability of this component.

Marshaling, Unmarshaling

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29

CVE-2018-15133 8.1 - High - August 09, 2018

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

CVE-2018-15133 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 2.2 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Marshaling, Unmarshaling

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8