First published: Wed May 15 2024(Updated: )
The Laravel Encrypter component is susceptible to a vulnerability that may result in decryption failure, leading to an unexpected return of `false`. Exploiting this issue requires the attacker to manipulate the encrypted payload before decryption. When combined with weak type comparisons in the application's code, such as the example below: ``` <?php $decyptedValue = decrypt($secret); if ($decryptedValue == '') { // Code is run even though decrypted value is false... } ```
Affected Software | Affected Version | How to fix |
---|---|---|
composer/laravel/framework | >=5.6.0<5.6.15 | 5.6.15 |
composer/laravel/framework | <5.5.40 | 5.5.40 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.