Laravel Framework Reflected Cross-Site Scripting Vulnerability in Debug Mode Error Page

A reflected cross-site scripting vulnerability has been identified in the Laravel framework, specifically in versions 11.9.0 prior to 11.35.1. This issue arises from improper encoding of request parameters in the error page displayed during debug mode, allowing attackers to inject and execute JavaScript in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's session.

Reproduction

To reproduce this vulnerability, first ensure that the Laravel application is running in debug mode by setting 'APP_DEBUG=true' in the .env file. Next, create an endpoint that triggers an error, such as a division by zero. When the error occurs, the debug-mode error page will be generated. This page can be exploited by including a payload, such as a script tag, in the URL parameters. The injected script will be executed by the browser, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to Laravel version 11.36.0 or later, where this vulnerability has been fixed. If an upgrade is not possible, the application should be configured to disable debug mode by setting 'APP_DEBUG=false'.