id: laravel-ignition-xss info: name: Laravel Ignition - Cross-Site Scripting author: 0x_Akoko severity: high description: | Laravel Ignition contains a cross-site scripting vulnerability when debug mode is enabled. remediation: | Disable debug mode by setting APP_DEBUG to false. reference: - https://www.acunetix.com/vulnerabilities/web/laravel-ignition-reflected-cross-site-scripting/ - https://github.com/facade/ignition/issues/273 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 cwe-id: CWE-79 tags: laravel,xss,ignition requests: - method: GET path: - "{{BaseURL}}/_ignition/scripts/-->" matchers-condition: and matchers: - type: word part: body words: - "Undefined index: --> in file" - type: word part: header words: - "text/html" - type: status status: - 500 # Enhanced by md on 2022/09/19