CVE-2025-49130
BaseFortify
Publication date: 2025-06-09
Last updated on: 2025-06-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49130 is a stored Cross-Site Scripting (XSS) vulnerability in the Laravel Translation Manager package prior to version 0.6.8. It occurs because the application does not properly validate and sanitize user inputs related to translation groups and locales. This allows an authenticated user with access to the translation manager to inject arbitrary HTML and JavaScript code into pages rendered by the application. The malicious code can then execute in the browsers of users viewing those pages, potentially leading to theft of sensitive data, session hijacking, or other malicious actions. The vulnerability was fixed by sanitizing inputs and escaping outputs to prevent script injection. [1, 3, 4]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an authenticated user with access to the Laravel Translation Manager to inject malicious scripts into the application. These scripts can execute in the browsers of users who view the affected pages, potentially leading to theft of sensitive information, hijacking of user sessions, or other malicious activities. Although the attacker must have authenticated access, the impact on confidentiality can be high due to the ability to steal data or hijack sessions. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Laravel Translation Manager package version is prior to 0.6.8, as versions before this are vulnerable. Additionally, you can review the application for unsanitized inputs related to translation groups and locales that might allow injection of HTML or JavaScript code. Since the vulnerability requires authenticated access, monitoring authenticated user activity for suspicious input in the translation manager interface may help. Specific commands are not provided in the resources, but verifying the installed package version can be done via composer with: `composer show barryvdh/laravel-translation-manager` and checking the version number. Also, reviewing your published views for the presence of escaping functions (like Laravel's `e()` helper) on group and locale outputs can indicate if the fix is applied. [1, 2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Laravel Translation Manager package to version 0.6.8 or later, where the issue is fixed. This update includes sanitization of group and locale inputs and escaping of output to prevent XSS attacks. Additionally, you should update your published views to incorporate the changes from the security release. Ensuring that only authenticated and trusted users have access to the translation manager interface also helps reduce risk. [2, 3, 4]