CVE-2017-9303
- Source
- https://cve.org/CVERecord?id=CVE-2017-9303
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9303.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2017-9303
- Aliases
- Published
- 2017-05-29T22:29:00.173Z
- Modified
- 2026-02-13T00:15:25.971047Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.
- References
Affected packages
Git / github.com/laravel/laravel
Affected ranges
- Type
- GIT
- Repo
- https://github.com/laravel/laravel
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
Affected versions
v3.*
v3.0.0
v3.0.0-beta-2
v3.0.0-rc-2
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.0-beta-1
v3.2.0-beta-2
v3.2.1
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v4.*
v4.0.0
v4.0.0-BETA3
v4.0.0-BETA4
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.18
v4.1.27
v4.2.0
v4.2.11
v5.*
v5.0.0
v5.0.1
v5.0.16
v5.0.22
v5.1.0
v5.1.1
v5.1.11
v5.1.3
v5.1.33
v5.1.4
v5.2.0
v5.2.15
v5.2.23
v5.2.24
v5.2.27
v5.2.29
v5.2.31
v5.3.0
v5.3.10
v5.3.16
v5.3.30
v5.4.0