{"id":"CVE-2017-9303","details":"Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.","aliases":["GHSA-rc8x-jrrc-frfv"],"modified":"2026-04-11T12:06:04.459909Z","published":"2017-05-29T22:29:00.173Z","database_specific":{},"references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/98776"},{"type":"ADVISORY","url":"https://laravel-news.com/laravel-5-4-22-is-now-released-and-includes-a-security-fix"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/laravel/laravel","events":[{"introduced":"0"},{"last_affected":"d9f54e3454b4cbbc7b614970c9f5d48e440f3957"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"5.4.0"}],"cpe":"cpe:2.3:a:laravel:laravel:5.4.0:*:*:*:*:*:*:*"}}],"versions":["v3.0.0","v3.0.0-beta-2","v3.0.0-rc-2","v3.0.1","v3.1.0","v3.1.1","v3.2.0-beta-1","v3.2.0-beta-2","v3.2.1","v3.2.10","v3.2.11","v3.2.12","v3.2.13","v3.2.4","v3.2.5","v3.2.6","v3.2.8","v3.2.9","v4.0.0","v4.0.0-BETA3","v4.0.0-BETA4","v4.1.0","v4.2.0","v5.0.0","v5.1.0","v5.1.1","v5.2.0","v5.3.0","v5.3.10","v5.4.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9303.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}