{"vulnerability": "CVE-2022-31114", "sightings": [{"uuid": "da9d0fec-f81a-4f4e-888c-6aca6858217c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-31114", "type": "seen", "source": "https://gist.github.com/alon710/318ae5a8389c9b8cdb7f278e7a67a44b", "content": "# CVE-2022-31114: CVE-2022-31114: Reflected Cross-Site Scripting in Laravel Backpack Error Views\n\n> **CVSS Score:** 5.1\n> **Published:** 2026-06-03\n> **Full Report:** https://cvereports.com/reports/CVE-2022-31114\n\n## Summary\nCVE-2022-31114 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the popular administrative panel package 'backpack/crud'. The flaw is rooted in the unsafe, raw rendering of PHP exception messages within the default error templates. When an unescaped exception message reflects malicious user-provided input, arbitrary JavaScript can execute within an administrator's browser session.\n\n## TL;DR\nUnescaped exception messages in Laravel Backpack's default error views allow attackers to execute arbitrary JavaScript in the context of an authenticated administrator via crafted links.\n\n## Technical Details\n\n- **CWE ID**: CWE-79\n- **Vulnerability Class**: Reflected Cross-Site Scripting (XSS)\n- **CVSS v4.0 Score**: 5.1\n- **Attack Vector**: Network (AV:N)\n- **Exploit Status**: None / Unproven\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Laravel applications running backpack/crud package versions below 5.0.13, 4.1.69, or 4.0.63\n- **backpack/crud**: >= 5.0.0, < 5.0.13 (Fixed in: `5.0.13`)\n- **backpack/crud**: >= 4.1.0, < 4.1.69 (Fixed in: `4.1.69`)\n- **backpack/crud**: < 4.0.63 (Fixed in: `4.0.63`)\n\n## Mitigation\n\n- Update backpack/crud dependency to patched versions\n- Execute 'php artisan backpack:fix' to clean published views\n- Implement Content Security Policy (CSP) restricting inline scripts\n- Ensure HttpOnly and SameSite flags are configured on session cookies\n\n**Remediation Steps:**\n1. Run 'composer update backpack/crud' to retrieve the latest secure package\n2. Execute 'php artisan backpack:fix' in the application environment to clean locally published error templates\n3. Verify that resources/views/errors/ templates do not contain raw exception message output\n\n## References\n\n- [GitHub Security Advisory GHSA-m8xx-3x29-84h8](https://github.com/Laravel-Backpack/CRUD/security/advisories/GHSA-m8xx-3x29-84h8)\n- [Official Vendor Remediation Blog Post](https://backpackforlaravel.com/articles/news/we-recommend-you-fix-this-vulnerability)\n- [NVD Detail Page](https://nvd.nist.gov/vuln/detail/CVE-2022-31114)\n- [CVE.org Authority Record](https://www.cve.org/CVERecord?id=CVE-2022-31114)\n- [Shodan CVEDB Entry](https://cvedb.shodan.io/cve/CVE-2022-31114)\n- [Laravel Backpack GitHub Repository](https://github.com/Laravel-Backpack/CRUD)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2022-31114) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-03T20:40:55.000000Z"}]}