Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/55287?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/55287?format=api", "purl": "pkg:composer/laravel/framework@5.5.0", "type": "composer", "namespace": "laravel", "name": "framework", "version": "5.5.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.20.26", "latest_non_vulnerable_version": "12.1.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53961?format=api", "vulnerability_id": "VCID-96p3-hbxp-duaz", "summary": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')\nLaravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21263", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01139", "scoring_system": "epss", "scoring_elements": "0.78748", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21263" }, { "reference_url": "https://blog.laravel.com/security-laravel-62011-7302-8221-released", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://blog.laravel.com/security-laravel-62011-7302-8221-released" }, { "reference_url": "https://blog.laravel.com/security-laravel-62012-7303-released", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://blog.laravel.com/security-laravel-62012-7303-released" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/database/CVE-2021-21263.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/database/CVE-2021-21263.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2021-21263.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2021-21263.yaml" }, { "reference_url": "https://github.com/laravel/framework/pull/35865", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/laravel/framework/pull/35865" }, { "reference_url": "https://packagist.org/packages/illuminate/database", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/illuminate/database" }, { "reference_url": "https://packagist.org/packages/laravel/framework", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/laravel/framework" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980095", "reference_id": "980095", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980095" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21263", "reference_id": "CVE-2021-21263", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21263" }, { "reference_url": "https://github.com/advisories/GHSA-3p32-j457-pg5x", "reference_id": "GHSA-3p32-j457-pg5x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3p32-j457-pg5x" }, { "reference_url": "https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x", "reference_id": "GHSA-3p32-j457-pg5x", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/141208?format=api", "purl": "pkg:composer/laravel/framework@6.20.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96p3-hbxp-duaz" }, { "vulnerability": "VCID-wptp-4xv5-43du" }, { "vulnerability": "VCID-zj39-eevs-kug3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.20.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/79566?format=api", "purl": "pkg:composer/laravel/framework@6.20.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wptp-4xv5-43du" }, { "vulnerability": "VCID-zj39-eevs-kug3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.20.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/141209?format=api", "purl": "pkg:composer/laravel/framework@7.30.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96p3-hbxp-duaz" }, { "vulnerability": "VCID-wptp-4xv5-43du" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@7.30.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/79567?format=api", "purl": "pkg:composer/laravel/framework@7.30.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wptp-4xv5-43du" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@7.30.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/79568?format=api", "purl": "pkg:composer/laravel/framework@8.22.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wptp-4xv5-43du" }, { "vulnerability": "VCID-zj39-eevs-kug3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@8.22.1" } ], "aliases": [ "CVE-2021-21263", "GHSA-3p32-j457-pg5x" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-96p3-hbxp-duaz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39528?format=api", "vulnerability_id": "VCID-aju9-h338-mfhf", "summary": "Cryptographic Issues\nExploit of encryption failure vulnerability", "references": [ { "reference_url": "https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55271?format=api", "purl": "pkg:composer/laravel/framework@5.5.40", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1apm-fx9d-3ufe" }, { "vulnerability": "VCID-96p3-hbxp-duaz" }, { "vulnerability": "VCID-c1e9-2tyr-j3e9" }, { "vulnerability": "VCID-wptp-4xv5-43du" }, { "vulnerability": "VCID-zj39-eevs-kug3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.5.40" }, { "url": "http://public2.vulnerablecode.io/api/packages/55272?format=api", "purl": "pkg:composer/laravel/framework@5.6.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96p3-hbxp-duaz" }, { "vulnerability": "VCID-c1e9-2tyr-j3e9" }, { "vulnerability": "VCID-wptp-4xv5-43du" }, { "vulnerability": "VCID-zj39-eevs-kug3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.6.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/198585?format=api", "purl": "pkg:composer/laravel/framework@10.36.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@10.36.0" } ], "aliases": [ "GMS-2018-72" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-aju9-h338-mfhf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40162?format=api", "vulnerability_id": "VCID-c1e9-2tyr-j3e9", "summary": "Session Fixation\nCookie serialization vulnerability in laravel framework.", "references": [ { "reference_url": "https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30", "reference_id": "", "reference_type": "", "scores": [], "url": "https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56330?format=api", "purl": "pkg:composer/laravel/framework@5.5.42", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96p3-hbxp-duaz" }, { "vulnerability": "VCID-wptp-4xv5-43du" }, { "vulnerability": "VCID-zj39-eevs-kug3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.5.42" }, { "url": "http://public2.vulnerablecode.io/api/packages/56331?format=api", "purl": "pkg:composer/laravel/framework@5.6.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96p3-hbxp-duaz" }, { "vulnerability": "VCID-wptp-4xv5-43du" }, { "vulnerability": "VCID-zj39-eevs-kug3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.6.30" }, { "url": "http://public2.vulnerablecode.io/api/packages/198585?format=api", "purl": "pkg:composer/laravel/framework@10.36.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@10.36.0" } ], "aliases": [ "GMS-2018-73" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c1e9-2tyr-j3e9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54832?format=api", "vulnerability_id": "VCID-dn8a-epsk-fkgm", "summary": "Laravel Guard bypass in Eloquent models\nIn laravel releases before 6.18.34 and 7.23.2. It was possible to mass assign Eloquent attributes that included the model's table name:\n```\n$model->fill(['users.name' => 'Taylor']);\n```\nWhen doing so, Eloquent would remove the table name from the attribute for you. This was a \"convenience\" feature of Eloquent and was not documented.\n\nHowever, when paired with validation, this can lead to unexpected and unvalidated values being saved to the database. For this reason, we have removed the automatic stripping of table names from mass-asignment operations so that the attributes go through the typical \"fillable\" / \"guarded\" logic. Any attributes containing table names that are not explicitly declared as fillable will be discarded.\n\nThis security release will be a breaking change for applications that were relying on the undocumented table name stripping during mass assignment. Since this feature was relatively unknown and undocumented, we expect the vast majority of Laravel applications to be able to upgrade without issues.", "references": [ { "reference_url": "https://blog.laravel.com/security-release-laravel-61834-7232", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://blog.laravel.com/security-release-laravel-61834-7232" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2020-08-06-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2020-08-06-1.yaml" }, { "reference_url": "https://github.com/laravel/framework", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/laravel/framework" }, { "reference_url": "https://github.com/advisories/GHSA-44pg-c29v-hp6r", "reference_id": "GHSA-44pg-c29v-hp6r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-44pg-c29v-hp6r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81366?format=api", "purl": "pkg:composer/laravel/framework@6.18.34", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96p3-hbxp-duaz" }, { "vulnerability": "VCID-wptp-4xv5-43du" }, { "vulnerability": "VCID-zj39-eevs-kug3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.18.34" }, { "url": "http://public2.vulnerablecode.io/api/packages/81367?format=api", "purl": "pkg:composer/laravel/framework@7.23.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96p3-hbxp-duaz" }, { "vulnerability": "VCID-wptp-4xv5-43du" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@7.23.2" } ], "aliases": [ "GHSA-44pg-c29v-hp6r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dn8a-epsk-fkgm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38896?format=api", "vulnerability_id": "VCID-eqzu-3cmt-2ube", "summary": "Close remember_me Timing Attack Vector\nThis package mishandles the `remember_me token` verification process because `DatabaseUserProvider` does not have constant-time token comparison.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-14775", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00289", "scoring_system": "epss", "scoring_elements": "0.52607", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-14775" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/auth/CVE-2017-14775.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/auth/CVE-2017-14775.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2017-14775.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2017-14775.yaml" }, { "reference_url": "https://github.com/laravel/framework/pull/21320", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/laravel/framework/pull/21320" }, { "reference_url": "https://github.com/laravel/framework/releases/tag/v5.5.10", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/laravel/framework/releases/tag/v5.5.10" }, { "reference_url": "https://laravel-news.com/laravel-v5-5-11", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://laravel-news.com/laravel-v5-5-11" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14775", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14775" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54213?format=api", "purl": "pkg:composer/laravel/framework@5.5.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96p3-hbxp-duaz" }, { "vulnerability": "VCID-aju9-h338-mfhf" }, { "vulnerability": "VCID-c1e9-2tyr-j3e9" }, { "vulnerability": "VCID-wptp-4xv5-43du" }, { "vulnerability": "VCID-zg1j-9fvd-bqek" }, { "vulnerability": "VCID-zj39-eevs-kug3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.5.10" } ], "aliases": [ "CVE-2017-14775", "GHSA-c2v7-j5gq-wcq4" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eqzu-3cmt-2ube" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54920?format=api", "vulnerability_id": "VCID-tvc5-aur6-v3dq", "summary": "Laravel Cookie serialization vulnerability\nLaravel 5.6.30 is a security release of Laravel and is recommended as an immediate upgrade for all users. Laravel 5.6.30 also contains a breaking change to cookie encryption and serialization logic. Refer to [laravel advisory](https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30) for more details and read the notes carefully when upgrading your application.", "references": [ { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2018-08-08-1.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2018-08-08-1.yaml" }, { "reference_url": "https://github.com/laravel/framework", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/laravel/framework" }, { "reference_url": "https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30" }, { "reference_url": "https://github.com/advisories/GHSA-6jvx-8ch9-j2jr", "reference_id": "GHSA-6jvx-8ch9-j2jr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6jvx-8ch9-j2jr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56331?format=api", "purl": "pkg:composer/laravel/framework@5.6.30", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96p3-hbxp-duaz" }, { "vulnerability": "VCID-wptp-4xv5-43du" }, { "vulnerability": "VCID-zj39-eevs-kug3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.6.30" } ], "aliases": [ "GHSA-6jvx-8ch9-j2jr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tvc5-aur6-v3dq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54021?format=api", "vulnerability_id": "VCID-wptp-4xv5-43du", "summary": "Unexpected database bindings\nThis is a follow-up to the previous security advisory (GHSA-3p32-j457-pg5x) which addresses a few additional edge cases.\n\nIf a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.", "references": [ { "reference_url": "https://packagist.org/packages/illuminate/database", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/illuminate/database" }, { "reference_url": "https://packagist.org/packages/laravel/framework", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/laravel/framework" }, { "reference_url": "https://github.com/advisories/GHSA-3p32-j457-pg5x", "reference_id": "GHSA-3p32-j457-pg5x", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3p32-j457-pg5x" }, { "reference_url": "https://github.com/advisories/GHSA-x7p5-p2c9-phvg", "reference_id": "GHSA-x7p5-p2c9-phvg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x7p5-p2c9-phvg" }, { "reference_url": "https://github.com/laravel/framework/security/advisories/GHSA-x7p5-p2c9-phvg", "reference_id": "GHSA-x7p5-p2c9-phvg", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/laravel/framework/security/advisories/GHSA-x7p5-p2c9-phvg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79668?format=api", "purl": "pkg:composer/laravel/framework@6.20.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-zj39-eevs-kug3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.20.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/79669?format=api", "purl": "pkg:composer/laravel/framework@7.30.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@7.30.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/79670?format=api", "purl": "pkg:composer/laravel/framework@8.24.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-zj39-eevs-kug3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@8.24.0" } ], "aliases": [ "GHSA-x7p5-p2c9-phvg", "GMS-2021-114", "GMS-2021-116" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wptp-4xv5-43du" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39527?format=api", "vulnerability_id": "VCID-zg1j-9fvd-bqek", "summary": "Unsafe payload decryption\nThere's a potential exploit of the Laravel Encrypter component that may cause the Encrypter to fail on decryption and unexpectedly return false. To exploit this, the attacker must be able to modify the encrypted payload before it is decrypted. This could lead to unexpected behavior when combined with weak type comparisons.", "references": [ { "reference_url": "https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0", "reference_id": "", "reference_type": "", "scores": [], "url": "https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55271?format=api", "purl": "pkg:composer/laravel/framework@5.5.40", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1apm-fx9d-3ufe" }, { "vulnerability": "VCID-96p3-hbxp-duaz" }, { "vulnerability": "VCID-c1e9-2tyr-j3e9" }, { "vulnerability": "VCID-wptp-4xv5-43du" }, { "vulnerability": "VCID-zj39-eevs-kug3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.5.40" }, { "url": "http://public2.vulnerablecode.io/api/packages/55272?format=api", "purl": "pkg:composer/laravel/framework@5.6.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96p3-hbxp-duaz" }, { "vulnerability": "VCID-c1e9-2tyr-j3e9" }, { "vulnerability": "VCID-wptp-4xv5-43du" }, { "vulnerability": "VCID-zj39-eevs-kug3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.6.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/198585?format=api", "purl": "pkg:composer/laravel/framework@10.36.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@10.36.0" } ], "aliases": [ "GMS-2018-27" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zg1j-9fvd-bqek" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54419?format=api", "vulnerability_id": "VCID-zj39-eevs-kug3", "summary": "SQL Server LIMIT / OFFSET SQL Injection in laravel/framework and illuminate/database\n### Impact\n\nThose using SQL Server with Laravel and allowing user input to be passed directly to the `limit` and `offset` functions is vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability.\n\n### Patches\n\nThis problem has been patched on Laravel versions 6.20.26, 7.30.5, and 8.40.0.\n\n### Workarounds\n\nYou may workaround this vulnerability by ensuring that only integers are passed to the `limit` and `offset` functions, as well as the `skip` and `take` functions.", "references": [ { "reference_url": "https://github.com/laravel/framework", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/laravel/framework" }, { "reference_url": "https://packagist.org/packages/illuminate/database", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/illuminate/database" }, { "reference_url": "https://packagist.org/packages/laravel/framework", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://packagist.org/packages/laravel/framework" }, { "reference_url": "https://github.com/advisories/GHSA-4mg9-vhxq-vm7j", "reference_id": "GHSA-4mg9-vhxq-vm7j", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4mg9-vhxq-vm7j" }, { "reference_url": "https://github.com/laravel/framework/security/advisories/GHSA-4mg9-vhxq-vm7j", "reference_id": "GHSA-4mg9-vhxq-vm7j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/laravel/framework/security/advisories/GHSA-4mg9-vhxq-vm7j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80571?format=api", "purl": "pkg:composer/laravel/framework@6.20.26", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@6.20.26" }, { "url": "http://public2.vulnerablecode.io/api/packages/80572?format=api", "purl": "pkg:composer/laravel/framework@8.40.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@8.40.0" } ], "aliases": [ "GHSA-4mg9-vhxq-vm7j", "GMS-2021-113", "GMS-2021-115" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zj39-eevs-kug3" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.5.0" }