CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14775
https://notcve.org/view.php?id=CVE-2017-14775
27 Sep 2017 — Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison. Las versiones anteriores a la 5.5.10 de Laravel gestionan incorrectamente el proceso de verificación del token remember_me porque DatabaseUserProvider no compara los tokens constantemente. • https://github.com/laravel/framework/pull/21320 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9303
https://notcve.org/view.php?id=CVE-2017-9303
29 May 2017 — Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host. Laravel 5.4.x anterior a 5.4.22 no restringe adecuadamente la parte del host de una URL de restablecimiento de contraseña, lo que facilitaría a un atacante remoto realizar ataques de phishing especificando un host controlado por dicho atacante. • http://www.securityfocus.com/bid/98776 • CWE-20: Improper Input Validation •