Описание
Laravel Translation Manager Vulnerable to Stored Cross-site Scripting
Impact
The application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities.
Patches
The issue is fixed in https://github.com/barryvdh/laravel-translation-manager/pull/475 which is released in version 0.6.8
Workarounds
Only authenticated users with access to the translation manager are impacted.
References
[PT-2025-04] laravel translation manager.pdf
Reported by
Positive Technologies (Artem Deikov, Ilya Tsaturov, Daniil Satyaev, Roman Cheremnykh, Artem Danilov, Stanislav Gleym)
Ссылки
- https://github.com/barryvdh/laravel-translation-manager/security/advisories/GHSA-j226-63j7-qrqh
- https://nvd.nist.gov/vuln/detail/CVE-2025-49130
- https://github.com/barryvdh/laravel-translation-manager/pull/475
- https://github.com/barryvdh/laravel-translation-manager/commit/527446ed419f90f2319675fc5211cb8f851d7a1f
- https://github.com/barryvdh/laravel-translation-manager/releases/tag/v0.6.8
Пакеты
barryvdh/laravel-translation-manager
< 0.6.8
0.6.8
Связанные уязвимости
Laravel Translation Manager is a package to manage Laravel translation files. Prior to version 0.6.8, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities. Only authenticated users with access to the translation manager are impacted. The issue is fixed in version 0.6.8.
Уязвимость пакета Laravel Translation Manager PHP-фреймворка Laravel, позволяющая нарушителю проводить межсайтовые сценарные атаки