CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-13918

Critical Severity
SVRS
76/100
CVSSv3
6.1/10
EPSS
0.00015/1

CVE-2024-13918: Laravel framework cross-site scripting vulnerability! Versions 11.9.0 to 11.35.1 are vulnerable to reflected XSS due to improper encoding of request parameters in the debug error page. The Laravel framework debug mode exposes a weakness where request parameters aren't properly encoded, leading to potential script injection. While CVSS rates this as 6.1, SOCRadar's Vulnerability Risk Score (SVRS) is 76, indicating a high risk demanding attention. This vulnerability could allow attackers to execute malicious scripts in users' browsers, potentially leading to session hijacking or data theft. Act quickly to mitigate this threat in your web applications by updating to a patched version.

TAGS
In The Wild
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:N
UI:R
S:C
C:L
I:L
A:N
PUBLICATION DATE2025-03-10
LAST MODIFIED2025-03-24
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-13918 is a reflected cross-site scripting (XSS) vulnerability affecting Laravel framework versions 11.9.0 through 11.35.1. The vulnerability stems from improper encoding of request parameters displayed on the debug-mode error page. Although the CVSS score is 8, the SOCRadar Vulnerability Risk Score (SVRS) is 36, suggesting a lower immediate risk compared to vulnerabilities with scores above 80. However, the tag "In The Wild" indicates that this vulnerability is actively exploited by hackers, increasing its importance.

Key Insights

  • Reflected XSS: The vulnerability is a reflected XSS, meaning malicious scripts are injected through request parameters. When the application reflects these parameters (specifically on the debug page when an error occurs) without proper encoding, the script executes in the victim's browser.
  • Exploit Status: Active exploits are already in use, given the "In The Wild" tag, increasing the urgency of patching this vulnerability, regardless of the relatively low SVRS score.
  • Debug Mode Dependency: The vulnerability's exploitation is primarily relevant when the application is in debug mode. While debug mode is typically disabled in production environments, its presence (or inadvertent activation) creates a potential attack vector.
  • Affected Versions: Specifically, Laravel versions between 11.9.0 and 11.35.1 are vulnerable. Therefore, knowing the current version of Laravel running within your environment is critical for assessment.

Mitigation Strategies

  1. Upgrade Laravel: The most effective mitigation is to upgrade to a version of Laravel that is not susceptible to CVE-2024-13918. Check for updates in the Laravel documentation for which version is the fix.
  2. Disable Debug Mode: Ensure that debug mode is disabled in all production environments. This drastically reduces the attack surface, as the vulnerability is exposed via the debug error page.
  3. Input Validation and Encoding: Implement robust input validation and output encoding/escaping mechanisms across all application layers. Though specific to debug pages in this instance, general XSS protection is important.
  4. Web Application Firewall (WAF): Deploy or configure a Web Application Firewall (WAF) to detect and block XSS attacks. A WAF can provide an additional layer of protection even if code-level fixes are not immediately possible.

Additional Information

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

[SBA-ADV-20241209-01] CVE-2024-13918: Laravel 11.9.0-11.35.1 Reflected XSS via Request Parameter in Debug-Mode Error Page
2025-03-10
[SBA-ADV-20241209-01] CVE-2024-13918: Laravel 11.9.0-11.35.1 Reflected XSS via Request Parameter in Debug-Mode Error Page | Posted by SBA Research Security Advisory on Mar 10# Laravel Reflected XSS via Request Parameter in Debug-Mode Error Page # Link: https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page ## Vulnerability Overview ## The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to
seclists.org
rss
forum
news
Laravel Framework Vulnerability Let Attackers Execute Malicious Java Script
Guru Baran2025-03-10
Laravel Framework Vulnerability Let Attackers Execute Malicious Java Script | A critical security vulnerability (CVE-2024-13918) in the Laravel framework allows attackers to execute arbitrary JavaScript code on websites running affected versions of the popular PHP framework.&#160; The flaw, discovered in Laravel&#8217;s debug-mode error page rendering, exposes applications to reflected cross-site scripting (XSS) attacks when running in development configurations. With a CVSS v3.1 score of 8.0 [&#8230;] The post Laravel Framework Vulnerability Let Attackers Execute Malicious Java Script<
cybersecuritynews.com
rss
forum
news
CVE-2024-13918 | Laravel Holdings Laravel Framework up to 11.35.1 cross site scripting
vuldb.com2025-03-10
CVE-2024-13918 | Laravel Holdings Laravel Framework up to 11.35.1 cross site scripting | A vulnerability, which was classified as problematic, has been found in Laravel Holdings Laravel Framework up to 11.35.1. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2024-13918. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to
vuldb.com
rss
forum
news
Laravel Framework Flaw Allows Attackers to Execute Malicious JavaScript
Divya2025-03-10
Laravel Framework Flaw Allows Attackers to Execute Malicious JavaScript | A significant vulnerability has been identified in the Laravel framework, specifically affecting versions between 11.9.0 and 11.35.1. The issue revolves around improper encoding of request parameters on the error page when the application is running in debug mode, leading to reflected cross-site scripting (XSS). This flaw has been assigned the CVE identifier CVE-2024-13918 and has [&#8230;] The post Laravel Framework Flaw Allows Attackers to Execute Malicious JavaScript appeared first
gbhackers.com
rss
forum
news

Social Media

@Shashwat_12304 @Netlas_io 🚨 Security Alert: CVE-2024-13918 &amp; CVE-2024-13919 (Severity: 8.0) found in Laravel framework (v11.9.0 - 11.35.1). These vulnerabilities expose reflected XSS risks due to improper encoding of request and route parameters on debug error pages. #CyberSecurity #Laravel #XSS #CVE
0
0
0
Laravel Framework Vulnerable to Reflected XSS Attacks (CVE-2024-13918 &amp; CVE-2024-13919) https://t.co/TabR2QsRXC
0
0
0
Laravel Framework Vulnerable to Reflected XSS Attacks (CVE-2024-13918 &amp; CVE-2024-13919) These vulnerabilities allow attackers to execute malicious scripts via crafted URLs, posing a significant risk to web applications. https://t.co/SfqBhCjyml #Cybersecurity #XSS #Laravel
0
0
1
Laravel Framework Vulnerable to Reflected XSS Attacks (CVE-2024-13918 &amp; CVE-2024-13919) https://t.co/fF59SlgInU
0
0
0
Laravel Framework Vulnerable to Reflected XSS Attacks (CVE-2024-13918 &amp; CVE-2024-13919) CVE-2024-13918 and CVE-2024-13919, affect #Laravel versions between 11.9.0 and 11.35.1 and could allow attackers to execute arbitrary #JavaScript code https://t.co/zHpWuRKt0R
0
0
0
A few months ago, @ffabs98 from @SBA_Research and I discovered independently two reflected #XSS vulnerabilities in the #laravel framework ( &lt; v11.36.0 ) when APP_DEBUG is enabled. CVE-2024-13918 CVE-2024-13919
1
0
0
CVE-2024-13918: Laravel 11.9.0-11.35.1 Reflected XSS via Request Parameter in Debug-Mode Error Page https://t.co/lmP3OqjqAH CVE-2024-13919: Laravel 11.9.0-11.35.1 Reflected XSS via Route Parameter in Debug-Mode Error Page https://t.co/2IGLqUIUDQ
0
0
0
CVE-2024-13918 The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request parameters in the d… https://t.co/THINmopi6K
0
0
1

Affected Software

No affected software found for this CVE

References

ReferenceLink
1E3A9E0F-5156-4BF8-B8A3-CC311BFC0F4Ahttps://github.com/laravel/framework/pull/53869
1E3A9E0F-5156-4BF8-B8A3-CC311BFC0F4Ahttps://github.com/laravel/framework/releases/tag/v11.36.0
1E3A9E0F-5156-4BF8-B8A3-CC311BFC0F4Ahttps://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page
1E3A9E0F-5156-4BF8-B8A3-CC311BFC0F4Ahttps://github.com/laravel/framework/pull/53869
1E3A9E0F-5156-4BF8-B8A3-CC311BFC0F4Ahttps://github.com/laravel/framework/releases/tag/v11.36.0
1E3A9E0F-5156-4BF8-B8A3-CC311BFC0F4Ahttps://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2025/03/10/3
GITHUBhttps://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page
1E3A9E0F-5156-4BF8-B8A3-CC311BFC0F4Ahttps://github.com/laravel/framework/pull/53869
1E3A9E0F-5156-4BF8-B8A3-CC311BFC0F4Ahttps://github.com/laravel/framework/releases/tag/v11.36.0
1E3A9E0F-5156-4BF8-B8A3-CC311BFC0F4Ahttps://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page
AF854A3A-2127-422B-91AE-364DA2661108http://www.openwall.com/lists/oss-security/2025/03/10/3

CWE Details

CWE IDCWE NameDescription
CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence