Search Results (Refine Search)
- CPE Product Version: cpe:/a:laravel:laravel:3.1.1
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2021-3129 |
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. Published: January 12, 2021; 10:15:16 AM -0500 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2020-24941 |
An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions. Published: September 03, 2020; 10:15:10 PM -0400 |
V3.1: 7.5 HIGH V2.0: 4.3 MEDIUM |
CVE-2020-24940 |
An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database in some situations in which table names are stripped during a mass assignment. Published: September 03, 2020; 10:15:10 PM -0400 |
V3.1: 7.5 HIGH V2.0: 4.3 MEDIUM |
CVE-2018-15133 |
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack. Published: August 09, 2018; 3:29:00 PM -0400 |
V3.0: 8.1 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-16894 |
In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework. Published: November 19, 2017; 8:29:00 PM -0500 |
V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2017-14775 |
Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison. Published: September 27, 2017; 9:29:01 PM -0400 |
V3.0: 5.9 MEDIUM V2.0: 4.3 MEDIUM |