Miggo Logo

CVE-2019-17433: z-song laravel-admin XSS via the Slug or Name on the Roles screen

4.8

CVSS Score
3.1

Basic Information

EPSS Score
0.44613%
Published
5/24/2022
Updated
2/1/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
encore/laravel-admincomposer= 1.7.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The XSS vulnerability stems from improper output encoding when displaying user-controlled Role Slug/Name values in the Operation Log. While exact code isn't visible, the pattern matches Laravel Blade XSS vulnerabilities where: 1) Controllers pass raw user input to views, and 2) Views use unescaped output syntax. The 'wontfix' label suggests the vulnerability exists in the view layer's rendering mechanism rather than input validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

z-son* l*r*v*l-**min *.*.* **s XSS vi* t** Slu* or N*m* on t** Rol*s s*r**n, ****us* o* mis**n*lin* on t** "Op*r*tion lo*" s*r**n.

Reasoning

T** XSS vuln*r**ility st*ms *rom improp*r output *n*o*in* w**n *ispl*yin* us*r-*ontroll** Rol* Slu*/N*m* v*lu*s in t** Op*r*tion Lo*. W*il* *x**t *o** isn't visi*l*, t** p*tt*rn m*t***s L*r*v*l *l*** XSS vuln*r**iliti*s w**r*: *) *ontroll*rs p*ss r*w