CVE-2022-31114

描述

### Impact It’s a “*moderate*” vulnerability… but being an admin panel, we take this seriously. It’s difficult… but an attacker could conduct a targeted phishing campaign, in order to **trick your users or admins to click a malicious link, which under very specific circumstances could give them information... or even admin access**. It’s *unlikely*, but that’s not good enough in admin panels - we should make it *impossible*. That’s why we’re bothering you with this. ### Patches If you don’t have custom error views, the views provided by Backpack would output the exception message *without escaping it*, which made an attack possible using Reflected XSS, in some very specific circumstances (that we will not disclose). **To fix those error views in Backpack 4.x and 5.x, please run**: ```bash composer update backpack/crud php artisan backpack:fix ``` The problem has been patched in: - v4.0.63 - v4.1.69 - v5.0.13 > **IMPORTANT! Running a `composer update` should get you the patched version, but you also need to run `php artisan backpack:fix` afterwards, to patch your published error views, if necessary.** ### Workarounds Alternatively (if you don’t want to run `composer update`), you can manually look inside your error views in “*resources/views/errors*” and output `e($exception->getMessage())` instead of `$exception->getMessage()`. That’s all there is to the fix, really. ### What the maintainers have done about this Acted as soon as our team found it (last week of March 2022): - Pushed patches to 5.x, 4.1 and 4.0; - Made it easy to apply the fix to existing projects, using a new `php artisan backpack:fix` command; - Kept the specific circumstances a secret; as far as we know, only our team knows about the niche case where this exploit is possible; - Emailed all our licensed users, to have a chance to fix their projects before it’s public; - Sent an email blast to our 25.000+ strong Security Newsletter; - Made this public with a blog post and soon a CVE, after our community has had a reasonable chance to fix their projects; - Will continue to monitor this and remind paying users to apply this fix if they haven’t; ### For more information If you have any questions or comments about this advisory: * Open an issue in [backpack/crud](https://github.com/laravel-backpack/crud) * Email us at [[email protected]](mailto:[email protected]) --- PS. You can [read this blog post](https://backpackforlaravel.com/articles/news/we-recommend-you-fix-this-vulnerability) for more information.

受影響套件(1)

• Packagist/backpack/crud>= 5.0.0, < 5.0.13

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-31114
• PATCHhttps://github.com/Laravel-Backpack/CRUD
• WEBhttps://backpackforlaravel.com/articles/news/we-recommend-you-fix-this-vulnerability
• WEBhttps://github.com/Laravel-Backpack/CRUD/security/advisories/GHSA-m8xx-3x29-84h8