Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/961424?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/961424?format=api", "purl": "pkg:composer/cesargb/laravel-magiclink@2.12.0", "type": "composer", "namespace": "cesargb", "name": "laravel-magiclink", "version": "2.12.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.25.1", "latest_non_vulnerable_version": "2.25.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50118?format=api", "vulnerability_id": "VCID-gdgt-wxnc-fbfr", "summary": "MagicLink: Insecure Deserialization of MagicLink Actions Leads to Remote Code Execution\nMagicLink stores serialized action objects in the `magic_links.action` database column and deserializes them without integrity validation or class allowlisting in [src/MagicLink.php](src/MagicLink.php#L59-L77) and [src/Actions/ResponseAction.php](src/Actions/ResponseAction.php#L64-L77). An attacker with the ability to manipulate database records (e.g., via SQL injection or compromised admin access) could inject malicious serialized objects containing arbitrary closures, leading to Remote Code Execution (RCE) when the magic link is visited.", "references": [ { "reference_url": "https://github.com/cesargb/laravel-magiclink", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cesargb/laravel-magiclink" }, { "reference_url": "https://github.com/cesargb/laravel-magiclink/releases/tag/v2.25.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cesargb/laravel-magiclink/releases/tag/v2.25.1" }, { "reference_url": "https://github.com/advisories/GHSA-r33w-fg8j-9c94", "reference_id": "GHSA-r33w-fg8j-9c94", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r33w-fg8j-9c94" }, { "reference_url": "https://github.com/cesargb/laravel-magiclink/security/advisories/GHSA-r33w-fg8j-9c94", "reference_id": "GHSA-r33w-fg8j-9c94", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/cesargb/laravel-magiclink/security/advisories/GHSA-r33w-fg8j-9c94" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74010?format=api", "purl": "pkg:composer/cesargb/laravel-magiclink@2.25.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/cesargb/laravel-magiclink@2.25.1" } ], "aliases": [ "GHSA-r33w-fg8j-9c94" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gdgt-wxnc-fbfr" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/cesargb/laravel-magiclink@2.12.0" }