CVE-2021-43808 MEDIUM

CVE-2021-43808: Blade `@parent` Exploitation Leading To Possible XSS in Laravel

Vendor Laravel

Product framework

Weakness CWE-79 · XSS

Published December 7, 2021

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

Description

Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent template contains an exploitable HTML structure an XSS vulnerability can be exposed. This vulnerability has been patched in versions 8.75.0, 7.30.6, and 6.20.42 by determining the parent placeholder at runtime and using a random hash that is unique to each request.

Key dates

Disclosure timeline

December 7, 2021 CVE published

August 4, 2024 Record updated

Identifiers

CVE CVE-2021-43808

CWE CWE-79

CVSS 5.3 / MEDIUM

Affected versions

Vendor Laravel

Product framework

Affected >= 8.0.0, < 8.75.0

Vendor Laravel

Product framework

Affected >= 7.0.0, < 7.30.6

Vendor Laravel

Product framework

Affected < 6.20.42