Moderate severityNVD Advisory· Published Aug 26, 2019· Updated Aug 5, 2024

CVE-2019-15489

Description

Laracom 1.4.11 contains a stored/reflected XSS via the q parameter in the search form due to unsanitized Blade output.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Laracom 1.4.11 contains a stored/reflected XSS via the `q` parameter in the search form due to unsanitized Blade output.

Vulnerability

CVE-2019-15489 affects laracom (Laravel FREE E-Commerce Software) version 1.4.11. The vulnerability is a cross-site scripting (XSS) issue in the search functionality. The Blade template admin-search uses {!! request()->input('q') !!} to output the search query, which does not escape HTML. This allows an attacker to inject arbitrary JavaScript code into the page via the q parameter [1][4].

Exploitation

An attacker can craft a URL with a malicious payload in the q parameter, e.g., search?q=. When a victim visits such a link, the script executes in the context of the application, which may require no authentication if the search endpoint is publicly accessible. The fix, merged in pull request #211, changes the output to use {{ request()->input('q') }} with Blade's standard escaping [1][4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of an authenticated or unauthenticated user. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites, potentially compromising the entire e-commerce application if an admin is targeted [2][3].

Mitigation

The vulnerability was patched in the commit 36ff6a5 (merge of PR #211) [4]. Users should upgrade to a version containing this fix or apply the patch manually. The current repository status notes that the project may be unmaintained, so upgrading to a maintained fork or applying the patch is recommended [3].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
jsdecena/laracomPackagist	>= 1.4.11, < 1.5.0	1.5.0

Affected products

Laravel FREE E-Commerce Software/laracomdescription
ghsa-coords
pkg:composer/jsdecena/laracom
Range: >= 1.4.11, < 1.5.0

Patches

36ff6a5c4a78

Merge pull request #211 from belguinan/patch-1

https://github.com/jsdecena/laracomJeff Simons DecenaAug 7, 2019via ghsa

commit

1 file changed · +2 −2

resources/views/layouts/search.blade.php+2 −2 modified

@@ -2,11 +2,11 @@
     <!-- search form -->
     <form action="{{$route}}" method="get" id="admin-search">
         <div class="input-group">
-            <input type="text" name="q" class="form-control" placeholder="Search..." value="{!! request()->input('q') !!}">
+            <input type="text" name="q" class="form-control" placeholder="Search..." value="{{ request()->input('q') }}">
             <span class="input-group-btn">
                 <button type="submit" id="search-btn" class="btn btn-flat"><i class="fa fa-search"></i> Search </button>
             </span>
         </div>
     </form>
     <!-- /.search form -->
-</div>
\ No newline at end of file
+</div>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-qc2p-6qrf-25j2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-15489ghsaADVISORY
github.com/Laracommerce/laracom/pull/211ghsax_refsource_MISCWEB
github.com/jsdecena/laracom/commit/36ff6a5c4a7878c719304e9d9a5f1fc74a5af474ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000