Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/38635?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38635?format=api", "vulnerability_id": "VCID-t45c-4zgs-r7es", "summary": "User phishing\nThere's a vulnerability that allows phishing attempts on users of the application. Using the password reset system, malicious users can attempt to trick your users into entering their login credentials into a separate application that they control. Since the password reset notification uses the host of the incoming request to build the password reset URL, the host of the password reset URL may be spoofed. If users do not notice that they are not on their intended application's domain, they may accidentally enter their login credentials into a malicious application.", "aliases": [ { "alias": "CVE-2017-9303" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53624?format=api", "purl": "pkg:composer/illuminate/auth@5.4.27", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/illuminate/auth@5.4.27" }, { "url": "http://public2.vulnerablecode.io/api/packages/53627?format=api", "purl": "pkg:composer/laravel/framework@5.4.22", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/framework@5.4.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/53626?format=api", "purl": "pkg:composer/laravel/laravel@5.4.23", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/laravel@5.4.23" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53625?format=api", "purl": "pkg:composer/laravel/laravel@5.2.45", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-t45c-4zgs-r7es" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/laravel/laravel@5.2.45" } ], "references": [ { "reference_url": "https://github.com/laravel/framework/issues/18697", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/laravel/framework/issues/18697" }, { "reference_url": "https://laravel.com/docs/5.4/releases#laravel-5.4.22", "reference_id": "", "reference_type": "", "scores": [], "url": "https://laravel.com/docs/5.4/releases#laravel-5.4.22" }, { "reference_url": "https://laravel-news.com/laravel-5-4-22-is-now-released-and-includes-a-security-fix", "reference_id": "", "reference_type": "", "scores": [], "url": "https://laravel-news.com/laravel-5-4-22-is-now-released-and-includes-a-security-fix" } ], "weaknesses": [ { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 20, "name": "Improper Input Validation", "description": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t45c-4zgs-r7es" }