CVE-2021-43808 — MEDIUM (5.3)

Q: How severe is CVE-2021-43808?

CVE-2021-43808 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-43808?

Check the references section above for vendor advisories and patch information. Affected products include: Laravel Framework.

Vulnerability Description

Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent template contains an exploitable HTML structure an XSS vulnerability can be exposed. This vulnerability has been patched in versions 8.75.0, 7.30.6, and 6.20.42 by determining the parent placeholder at runtime and using a random hash that is unique to each request.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Laravel	Framework	< 6.20.42

Related Weaknesses (CWE)

CWE-79 CWE-327

References

https://github.com/laravel/framework/commit/b8174169b1807f36de1837751599e2828cedPatchThird Party Advisory
https://github.com/laravel/framework/pull/39906PatchThird Party Advisory
https://github.com/laravel/framework/pull/39908PatchThird Party Advisory
https://github.com/laravel/framework/pull/39909PatchThird Party Advisory
https://github.com/laravel/framework/releases/tag/v6.20.42Release NotesThird Party Advisory
https://github.com/laravel/framework/releases/tag/v7.30.6Release NotesThird Party Advisory
https://github.com/laravel/framework/releases/tag/v8.75.0Release NotesThird Party Advisory
https://github.com/laravel/framework/security/advisories/GHSA-66hf-2p6w-jqfwExploitThird Party Advisory
https://github.com/laravel/framework/commit/b8174169b1807f36de1837751599e2828cedPatchThird Party Advisory
https://github.com/laravel/framework/pull/39906PatchThird Party Advisory
https://github.com/laravel/framework/pull/39908PatchThird Party Advisory
https://github.com/laravel/framework/pull/39909PatchThird Party Advisory
https://github.com/laravel/framework/releases/tag/v6.20.42Release NotesThird Party Advisory
https://github.com/laravel/framework/releases/tag/v7.30.6Release NotesThird Party Advisory
https://github.com/laravel/framework/releases/tag/v8.75.0Release NotesThird Party Advisory

FAQ

What is CVE-2021-43808?

CVE-2021-43808 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML ...

How severe is CVE-2021-43808?

CVE-2021-43808 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-43808?

Check the references section above for vendor advisories and patch information. Affected products include: Laravel Framework.