VYPR
← All advisories
Medium severity6.1NVD Advisory· Published May 29, 2017· Updated May 13, 2026

CVE-2017-9303

CVE-2017-9303

Description

Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
laravel/laravelPackagist
>= 5.4.0, < 5.4.225.4.22
illuminate/authPackagist
>= 5.3.0, <= 5.3.31
illuminate/authPackagist
>= 5.4.0, < 5.4.225.4.22
laravel/frameworkPackagist
>= 5.3.0, <= 5.3.31
laravel/frameworkPackagist
>= 5.4.0, < 5.4.225.4.22

Affected products

1

Patches

1
cef105518205

force host on password reset notification

https://github.com/laravel/frameworkTaylor OtwellMay 7, 2017via ghsa
commit
1 file changed · +1 1
  • src/Illuminate/Auth/Notifications/ResetPassword.php+1 1 modified
    @@ -46,7 +46,7 @@ public function toMail($notifiable)
     {
         return (new MailMessage)
             ->line('You are receiving this email because we received a password reset request for your account.')
-            ->action('Reset Password', route('password.reset', $this->token))
+            ->action('Reset Password', url(config('app.url').route('password.reset', $this->token, false)))
             ->line('If you did not request a password reset, no further action is required.');
     }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.