What is the severity of CVE-2017-9303?

CVE-2017-9303 is considered a medium severity vulnerability due to its potential for password reset phishing attacks.

How do I fix CVE-2017-9303?

To fix CVE-2017-9303, update your Laravel framework to version 5.4.22 or later.

Which versions are affected by CVE-2017-9303?

CVE-2017-9303 affects Laravel versions 5.4.0 through 5.4.21 and 5.3.0 through 5.3.31.

What type of attack does CVE-2017-9303 enable?

CVE-2017-9303 enables remote attackers to conduct phishing attacks by manipulating the host portion of password-reset URLs.

Is CVE-2017-9303 present in Laravel 5.4.22 or later?

No, CVE-2017-9303 is not present in Laravel 5.4.22 or later, as those versions contain the necessary security fix.

Vulnerability/
CVE-2017-9303

medium

6.1

CWE

7/5/2017

29/5/2017

25/4/2024

CVE-2017-9303: Input Validation

First published: Sun May 07 2017(Updated: )

Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
composer/laravel/framework	>=5.3.0<=5.3.31>=5.4.0<5.4.22
composer/illuminate/auth	>=5.3.0<=5.3.31>=5.4.0<5.4.22
composer/laravel/framework	>=5.4.0<5.4.22	5.4.22
composer/laravel/framework	>=5.3.0<=5.3.31
composer/illuminate/auth	>=5.4.0<5.4.22	5.4.22
composer/illuminate/auth	>=5.3.0<=5.3.31
composer/laravel/laravel	>=5.4.0<5.4.22	5.4.22
Laravel Framework	=5.4.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2017-9303?
CVE-2017-9303 is considered a medium severity vulnerability due to its potential for password reset phishing attacks.
How do I fix CVE-2017-9303?
To fix CVE-2017-9303, update your Laravel framework to version 5.4.22 or later.
Which versions are affected by CVE-2017-9303?
CVE-2017-9303 affects Laravel versions 5.4.0 through 5.4.21 and 5.3.0 through 5.3.31.
What type of attack does CVE-2017-9303 enable?
CVE-2017-9303 enables remote attackers to conduct phishing attacks by manipulating the host portion of password-reset URLs.
Is CVE-2017-9303 present in Laravel 5.4.22 or later?
No, CVE-2017-9303 is not present in Laravel 5.4.22 or later, as those versions contain the necessary security fix.

collector/friends-of-php
agent/type
agent/first-publish-date
collector/github-advisory-latest
source/GitHub
alias/GHSA-rc8x-jrrc-frfv
alias/CVE-2017-9303
agent/software-canonical-lookup
agent/references
agent/last-modified-date
agent/severity
agent/weakness
agent/softwarecombine
agent/event
agent/description
agent/author
collector/github-advisory
agent/trending
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-cve
source/NVD
package-manager/composer
vendor/laravel
canonical/laravel framework
version/laravel framework/5.4.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.