Laravel Framework Reflected Cross-Site Scripting Vulnerability in Debug Mode Error Page

A reflected cross-site scripting vulnerability has been identified in the Laravel framework, specifically in versions 11.9.0 prior to 11.35.1. This issue arises from improper encoding of route parameters in the error page displayed during debug mode, allowing attackers to inject and execute JavaScript in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's session.

Reproduction

To reproduce this vulnerability, first ensure that the Laravel application is running in debug mode by setting 'APP_DEBUG=true' in the .env file. Next, create a route that triggers an error, such as a division by zero. When the error occurs, the debug-mode error page will be generated, reflecting the unencoded route parameter. This can be exploited by accessing a crafted URL that includes a script injection, such as an image tag with an 'onerror' event.

Remediation

Users can upgrade to Laravel version 11.36.0 or later, where this vulnerability has been fixed. If an upgrade is not possible, disable debug mode by setting 'APP_DEBUG=false' in the configuration.