VYPR
Medium severity6.1NVD Advisory· Published May 29, 2017· Updated Jun 17, 2026

CVE-2017-9303

CVE-2017-9303

Description

Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
laravel/laravelPackagist
>= 5.4.0, < 5.4.225.4.22
illuminate/authPackagist
>= 5.3.0, <= 5.3.31
illuminate/authPackagist
>= 5.4.0, < 5.4.225.4.22
laravel/frameworkPackagist
>= 5.3.0, <= 5.3.31
laravel/frameworkPackagist
>= 5.4.0, < 5.4.225.4.22

Affected products

4

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.