Login Sign Up

CVE-2024-13918

8.0 HIGH
Cross-Site Scripting

📋 TL;DR

Laravel framework versions 11.9.0 through 11.35.1 contain a reflected cross-site scripting vulnerability in debug-mode error pages. Attackers can inject malicious scripts via request parameters that are improperly encoded, potentially compromising user sessions. This affects any Laravel application running debug mode with these vulnerable versions.

💻 Affected Systems

Products:
  • Laravel PHP Framework
Versions: 11.9.0 through 11.35.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications with debug mode enabled (APP_DEBUG=true). Production environments should already have debug disabled, but development/staging systems are at risk.

📦 What is this software?

Framework by Laravel

View all CVEs affecting Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking leading to unauthorized access, data theft, or account takeover for users who visit malicious links.

🟢

If Mitigated

Limited impact if debug mode is disabled in production, but development/staging environments remain vulnerable.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (clicking malicious link) and debug mode enabled. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v11.36.0

Vendor Advisory: https://github.com/laravel/framework/releases/tag/v11.36.0

Restart Required: No

Instructions:

1. Update Laravel to version 11.36.0 or later via composer: 'composer require laravel/framework:^11.36.0'. 2. Run 'composer update'. 3. Clear application cache: 'php artisan config:clear' and 'php artisan cache:clear'.

🔧 Temporary Workarounds

Disable Debug Mode

all

Set APP_DEBUG=false in .env file to prevent debug error pages from being served.

echo 'APP_DEBUG=false' >> .env
php artisan config:clear

🧯 If You Can't Patch

  • Disable debug mode immediately in all environments.
  • Implement web application firewall (WAF) rules to block XSS payloads in request parameters.

🔍 How to Verify

Check if Vulnerable:

Check Laravel version via 'composer show laravel/framework' and verify if between 11.9.0-11.35.1. Also check .env for APP_DEBUG=true.

Check Version:

composer show laravel/framework | grep versions

Verify Fix Applied:

Confirm Laravel version is 11.36.0 or higher with 'composer show laravel/framework'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual error page requests with long parameter values
  • Requests containing script tags or JavaScript in URL parameters

Network Indicators:

  • HTTP requests with suspicious parameters like <script> tags to error pages

SIEM Query:

web_logs WHERE url CONTAINS '/_ignition/execute-solution' AND (url CONTAINS '<script' OR url CONTAINS 'javascript:')

📊 Metadata

CVE ID: CVE-2024-13918
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-79
EPSS Score: 0.11% exploit probability (29.6th percentile)
Published: March 10, 2025
Last Updated: March 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13918, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)