CVE-2018-20962
Description
Backpack CRUD for Laravel before 3.4.9 is vulnerable to cross-site scripting (XSS) via the select field type, allowing attackers to inject arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Backpack CRUD for Laravel before 3.4.9 is vulnerable to cross-site scripting (XSS) via the select field type, allowing attackers to inject arbitrary JavaScript.
Vulnerability
Overview
CVE-2018-20962 describes a cross-site scripting (XSS) vulnerability in the Backpack CRUD component for Laravel, affecting versions prior to 3.4.9. The flaw resides in the select field type, which fails to properly sanitize user-supplied input before rendering it in the admin panel. This allows an attacker to inject arbitrary HTML or JavaScript code that will be executed in the context of the victim's browser [2].
Exploitation
Prerequisites
Exploitation requires an authenticated user with the ability to create or edit entries that include a select field. The attacker can craft a malicious value for the select field (e.g., via a dropdown option or a custom input) that contains JavaScript payloads. When an administrator or other user views the affected entry in the Backpack interface, the injected script executes without any additional user interaction [1][2].
Impact
Successful exploitation enables an attacker to perform actions on behalf of the victim, such as stealing session cookies, modifying admin panel content, or exfiltrating sensitive data. Since Backpack CRUD is commonly used to build custom admin panels, the impact can extend to full compromise of the underlying Laravel application if an administrator account is targeted [2].
Mitigation
The vulnerability was fixed in Backpack CRUD version 3.4.9, released on May 10, 2018 [3][4]. Users are strongly advised to upgrade to at least this version. The changelog confirms the fix addresses XSS in the select field type [3]. No workarounds have been documented, and the vendor recommends updating as the sole mitigation.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
backpack/crudPackagist | < 3.4.9 | 3.4.9 |
Affected products
2- Backpack\CRUD/Backpackdescription
Patches
18b6bd0a2d489fixes #1297 - possible xss vulnerability in select field type
2 files changed · +2 −1
CHANGELOG.md+1 −0 modified@@ -24,6 +24,7 @@ All Notable changes to `Backpack CRUD` will be documented in this file ## Fixed - #1378 - when a custom default page length is specified, it should show up in the page length menu; +- #1297 - possible XSS vulnerability in ```select``` field type; now using ```e()``` to escape the attribute; ## [3.4.8] - 2018-05-07
src/resources/views/columns/select.blade.php+1 −1 modified@@ -3,7 +3,7 @@ <?php $attributes = $crud->getModelAttributeFromRelation($entry, $column['entity'], $column['attribute']); if (count($attributes)) { - echo implode(', ', $attributes); + echo e(implode(', ', $attributes)); } else { echo '-'; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-6gfm-gpr3-8wh9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-20962ghsaADVISORY
- github.com/Laravel-Backpack/CRUD/blob/8b6bd0a2d489a4690f6b1d7ace67e2f07f5f0cc6/CHANGELOG.mdghsaWEB
- github.com/Laravel-Backpack/CRUD/blob/master/CHANGELOG.mdmitrex_refsource_MISC
- github.com/Laravel-Backpack/CRUD/commit/8b6bd0a2d489a4690f6b1d7ace67e2f07f5f0cc6ghsax_refsource_MISCWEB
- github.com/Laravel-Backpack/CRUD/compare/3.4.8...3.4.9ghsax_refsource_MISCWEB
- github.com/Laravel-Backpack/CRUD/issues/1297ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.