Medium severity6.1NVD Advisory· Published May 29, 2017· Updated Jun 17, 2026
CVE-2017-9303
CVE-2017-9303
Description
Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
laravel/laravelPackagist | >= 5.4.0, < 5.4.22 | 5.4.22 |
illuminate/authPackagist | >= 5.3.0, <= 5.3.31 | — |
illuminate/authPackagist | >= 5.4.0, < 5.4.22 | 5.4.22 |
laravel/frameworkPackagist | >= 5.3.0, <= 5.3.31 | — |
laravel/frameworkPackagist | >= 5.4.0, < 5.4.22 | 5.4.22 |
Affected products
4- ghsa-coords3 versions
>= 5.3.0, <= 5.3.31+ 2 more
- (no CPE)range: >= 5.3.0, <= 5.3.31
- (no CPE)range: >= 5.3.0, <= 5.3.31
- (no CPE)range: >= 5.4.0, < 5.4.22
Patches
Vulnerability mechanics
References
9- www.securityfocus.com/bid/98776nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-rc8x-jrrc-frfvghsaADVISORY
- laravel-news.com/laravel-5-4-22-is-now-released-and-includes-a-security-fixnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-9303ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/auth/CVE-2017-9303.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/CVE-2017-9303.yamlghsaWEB
- github.com/laravel/framework/commit/cef10551820530632a86fa6f1306fee95c5cac43ghsaWEB
- laravel.com/docs/5.4/releasesghsaWEB
- web.archive.org/web/20171021180417/http://www.securityfocus.com/bid/98776ghsaWEB
News mentions
0No linked articles in our index yet.