CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14775
https://notcve.org/view.php?id=CVE-2017-14775
Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison. Las versiones anteriores a la 5.5.10 de Laravel gestionan incorrectamente el proceso de verificación del token remember_me porque DatabaseUserProvider no compara los tokens constantemente. • https://github.com/laravel/framework/pull/21320 https://github.com/laravel/framework/releases/tag/v5.5.10 https://laravel-news.com/laravel-v5-5-11 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9303
https://notcve.org/view.php?id=CVE-2017-9303
Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host. Laravel 5.4.x anterior a 5.4.22 no restringe adecuadamente la parte del host de una URL de restablecimiento de contraseña, lo que facilitaría a un atacante remoto realizar ataques de phishing especificando un host controlado por dicho atacante. • http://www.securityfocus.com/bid/98776 https://laravel-news.com/laravel-5-4-22-is-now-released-and-includes-a-security-fix • CWE-20: Improper Input Validation •