CVE-2019-17433: z-song laravel-admin XSS via the Slug or Name on the Roles screen
4.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.44613%
CWE
Published
5/24/2022
Updated
2/1/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
encore/laravel-admin | composer | = 1.7.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The XSS vulnerability stems from improper output encoding when displaying user-controlled Role Slug/Name values in the Operation Log. While exact code isn't visible, the pattern matches Laravel Blade XSS vulnerabilities where: 1) Controllers pass raw user input to views, and 2) Views use unescaped output syntax. The 'wontfix' label suggests the vulnerability exists in the view layer's rendering mechanism rather than input validation.