GHSA-J226-63J7-QRQH

Vulnerability from github – Published: 2025-06-09 13:15 – Updated: 2025-06-09 15:55
VLAI?
Summary
Laravel Translation Manager Vulnerable to Stored Cross-site Scripting
Details

Impact

The application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities.

Patches

The issue is fixed in https://github.com/barryvdh/laravel-translation-manager/pull/475 which is released in version 0.6.8

Workarounds

Only authenticated users with access to the translation manager are impacted.

References

[PT-2025-04] laravel translation manager.pdf

Reported by

Positive Technologies (Artem Deikov, Ilya Tsaturov, Daniil Satyaev, Roman Cheremnykh, Artem Danilov, Stanislav Gleym)

Severity ?
6.0 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "barryvdh/laravel-translation-manager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-49130"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-09T13:15:19Z",
    "nvd_published_at": "2025-06-09T13:15:23Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user\u0027s browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities.\n\n### Patches\nThe issue is fixed in https://github.com/barryvdh/laravel-translation-manager/pull/475 which is released in version 0.6.8\n\n### Workarounds\nOnly authenticated users with access to the translation manager are impacted.\n\n### References\n[[PT-2025-04] laravel translation manager.pdf](https://github.com/user-attachments/files/20639250/PT-2025-04.laravel.translation.manager.pdf)\n\n### Reported by\nPositive Technologies (Artem Deikov, Ilya Tsaturov, Daniil Satyaev, Roman Cheremnykh, Artem Danilov, Stanislav Gleym)",
  "id": "GHSA-j226-63j7-qrqh",
  "modified": "2025-06-09T15:55:56Z",
  "published": "2025-06-09T13:15:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/barryvdh/laravel-translation-manager/security/advisories/GHSA-j226-63j7-qrqh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49130"
    },
    {
      "type": "WEB",
      "url": "https://github.com/barryvdh/laravel-translation-manager/pull/475"
    },
    {
      "type": "WEB",
      "url": "https://github.com/barryvdh/laravel-translation-manager/commit/527446ed419f90f2319675fc5211cb8f851d7a1f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/barryvdh/laravel-translation-manager"
    },
    {
      "type": "WEB",
      "url": "https://github.com/barryvdh/laravel-translation-manager/releases/tag/v0.6.8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Laravel Translation Manager Vulnerable to Stored Cross-site Scripting"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.