CVE-2019-17433

The vulnerability is a stored cross-site scripting (XSS) issue in z-song laravel-admin version 1.7.3. The Roles screen allows administrators to set a Slug or Name for roles, but these inputs are not properly sanitized before being displayed in the Operation log screen [1], [2].

An authenticated attacker with administrative access to the role management function can inject malicious JavaScript code into the Slug or Name fields. When the victim (another admin) views the Operation log, the injected script executes in their browser context. The attack requires admin privileges but can be used to target other administrators.

Successful exploitation allows the attacker to perform actions on behalf of the victim within the application, such as creating or modifying data, or stealing session cookies. Since the payload is stored, it can affect multiple users who view the Operation log.

The issue was reported and acknowledged by the maintainer in the project's GitHub repository (issue #3847) [2]. Users should upgrade to a patched version of laravel-admin. As of the publication date, there is no official patch, but updating to the latest release is recommended.