{"url":"http://public2.vulnerablecode.io/api/packages/210653?format=json","purl":"pkg:composer/laravel/laravel@5.3.30","type":"composer","namespace":"laravel","name":"laravel","version":"5.3.30","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"9.1.9","latest_non_vulnerable_version":"9.1.9","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42875?format=json","vulnerability_id":"VCID-67cz-hs1f-j7c4","summary":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\nA Remote Code Execution (RCE) vulnerability exists in h laravel 5.8.38 via an unserialize pop chain in (1) __destruct in \\Routing\\PendingResourceRegistration.php, (2) __cal in Queue\\Capsule\\Manager.php, and (3) __invoke in mockery\\library\\Mockery\\ClosureWrapper.php.","references":[{"reference_url":"https://github.com/1nhann/vulns/issues/1#issuecomment-1213126338","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/1nhann/vulns/issues/1#issuecomment-1213126338"},{"reference_url":"https://github.com/guoyanan1g/Laravel-vul/issues/2#issue-1045655892","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/guoyanan1g/Laravel-vul/issues/2#issue-1045655892"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43503","reference_id":"CVE-2021-43503","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43503"},{"reference_url":"https://github.com/advisories/GHSA-86r3-4gq8-xw8q","reference_id":"GHSA-86r3-4gq8-xw8q","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-86r3-4gq8-xw8q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/566997?format=json","purl":"pkg:composer/laravel/laravel@6.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aqf1-d4z7-6fb4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/laravel@6.0.0"}],"aliases":["CVE-2021-43503","GHSA-86r3-4gq8-xw8q"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-67cz-hs1f-j7c4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110689?format=json","vulnerability_id":"VCID-aqf1-d4z7-6fb4","summary":"Unserialized Pop Chain in Laravel\n## Withdrawn\nThis advisory has been withdrawn because it is not a security issue and the CVE has been revoked.\n\n## Original Description\nLaravel 9.1.8, when processing attacker-controlled data for deserialization, allows Remote Code Execution (RCE) via an unserialized pop chain in __destruct in Illuminate\\Broadcasting\\PendingBroadcast.php and __call in Faker\\Generator.php.","references":[{"reference_url":"https://github.com/1nhann/vulns/issues/1#issuecomment-1213126338","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/1nhann/vulns/issues/1#issuecomment-1213126338"},{"reference_url":"https://github.com/1nhann/vulns/issues/3","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/1nhann/vulns/issues/3"},{"reference_url":"https://github.com/ambionics/phpggc/issues/118","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ambionics/phpggc/issues/118"},{"reference_url":"https://github.com/laravel/laravel","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/laravel"},{"reference_url":"https://inhann.top/2022/05/17/bypass_wakeup","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://inhann.top/2022/05/17/bypass_wakeup"},{"reference_url":"https://inhann.top/2022/05/17/bypass_wakeup/","reference_id":"","reference_type":"","scores":[],"url":"https://inhann.top/2022/05/17/bypass_wakeup/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31279","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31279"},{"reference_url":"https://github.com/advisories/GHSA-vv7q-mfpc-qgm5","reference_id":"GHSA-vv7q-mfpc-qgm5","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vv7q-mfpc-qgm5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/590535?format=json","purl":"pkg:composer/laravel/laravel@9.1.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/laravel@9.1.9"}],"aliases":["CVE-2022-31279","GHSA-vv7q-mfpc-qgm5"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aqf1-d4z7-6fb4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38635?format=json","vulnerability_id":"VCID-t45c-4zgs-r7es","summary":"User phishing\nThere's a vulnerability that allows phishing attempts on users of the application. Using the password reset system, malicious users can attempt to trick your users into entering their login credentials into a separate application that they control. Since the password reset notification uses the host of the incoming request to build the password reset URL, the host of the password reset URL may be spoofed. If users do not notice that they are not on their intended application's domain, they may accidentally enter their login credentials into a malicious application.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-9303","reference_id":"","reference_type":"","scores":[{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42417","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42407","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42332","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-9303"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/auth/CVE-2017-9303.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/auth/CVE-2017-9303.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2017-9303.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2017-9303.yaml"},{"reference_url":"https://github.com/laravel/framework/commit/cef10551820530632a86fa6f1306fee95c5cac43","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/laravel/framework/commit/cef10551820530632a86fa6f1306fee95c5cac43"},{"reference_url":"https://github.com/laravel/framework/issues/18697","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/laravel/framework/issues/18697"},{"reference_url":"https://laravel.com/docs/5.4/releases#laravel-5.4.22","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://laravel.com/docs/5.4/releases#laravel-5.4.22"},{"reference_url":"https://laravel-news.com/laravel-5-4-22-is-now-released-and-includes-a-security-fix","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://laravel-news.com/laravel-5-4-22-is-now-released-and-includes-a-security-fix"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-9303","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-9303"},{"reference_url":"https://web.archive.org/web/20171021180417/http://www.securityfocus.com/bid/98776","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20171021180417/http://www.securityfocus.com/bid/98776"},{"reference_url":"http://www.securityfocus.com/bid/98776","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/98776"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/156089?format=json","purl":"pkg:composer/laravel/laravel@5.4.22","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/laravel@5.4.22"},{"url":"http://public2.vulnerablecode.io/api/packages/53626?format=json","purl":"pkg:composer/laravel/laravel@5.4.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-67cz-hs1f-j7c4"},{"vulnerability":"VCID-aqf1-d4z7-6fb4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/laravel@5.4.23"}],"aliases":["CVE-2017-9303","GHSA-rc8x-jrrc-frfv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t45c-4zgs-r7es"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/laravel/laravel@5.3.30"}