Vulnerabilities > Laravel > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-25 | CVE-2022-40482 | Information Exposure Through Discrepancy vulnerability in Laravel Framework The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. | 5.3 |
| 2022-02-24 | CVE-2022-25838 | Authentication Bypass by Capture-replay vulnerability in Laravel Fortify Laravel Fortify before 1.11.1 allows reuse within a short time window, thus calling into question the "OT" part of the "TOTP" concept. | 6.8 |
| 2021-12-20 | CVE-2020-19316 | OS Command Injection vulnerability in Laravel Framework OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17. | 6.8 |
| 2021-12-08 | CVE-2021-43808 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Laravel Framework Laravel is a web application framework. | 4.3 |
| 2021-01-19 | CVE-2021-21263 | SQL Injection vulnerability in Laravel Laravel is a web application framework. | 5.3 |
| 2020-09-04 | CVE-2020-24941 | Improper Input Validation vulnerability in Laravel An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. | 4.3 |
| 2020-09-04 | CVE-2020-24940 | Improper Input Validation vulnerability in Laravel An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. | 4.3 |
| 2019-03-28 | CVE-2018-6330 | SQL Injection vulnerability in Laravel Framework 5.4.15 Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters. | 6.5 |
| 2017-09-28 | CVE-2017-14775 | Information Exposure vulnerability in Laravel Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison. | 4.3 |
| 2017-05-29 | CVE-2017-9303 | Improper Input Validation vulnerability in Laravel 5.4.0 Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host. | 5.8 |