CVE-2025-49130

Laravel Translation Manager is a package to manage Laravel translation files. Prior to version 0.6.8, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities. Only authenticated users with access to the translation manager are impacted. The issue is fixed in version 0.6.8.

CVSS

No CVSS.

References

Link	Resource
https://github.com/barryvdh/laravel-translation-manager/commit/527446ed419f90f2319675fc5211cb8f851d7a1f
https://github.com/barryvdh/laravel-translation-manager/pull/475
https://github.com/barryvdh/laravel-translation-manager/releases/tag/v0.6.8
https://github.com/barryvdh/laravel-translation-manager/security/advisories/GHSA-j226-63j7-qrqh

Configurations

No configuration.

History

12 Jun 2025, 16:06

Type	Values Removed	Values Added
Summary		(es) Laravel Translation Manager es un paquete para gestionar los archivos de traducción de Laravel. Antes de la versión 0.6.8, la aplicación era vulnerable a ataques de Cross-Site Scripting (XSS) debido a la validación y el saneamiento incorrectos de los datos introducidos por el usuario. Un atacante puede inyectar código HTML arbitrario, incluyendo scripts JavaScript, en la página procesada por el navegador del usuario, lo que le permite robar datos confidenciales, secuestrar sesiones de usuario o realizar otras actividades maliciosas. Solo los usuarios autenticados con acceso al gestor de traducción se ven afectados. El problema se solucionó en la versión 0.6.8.

09 Jun 2025, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-09 13:15

Updated : 2025-06-12 16:06

NVD link : CVE-2025-49130

Mitre link : CVE-2025-49130

CVE.ORG link : CVE-2025-49130

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-49130", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-09T13:15:23.977", "references": [{"url": "https://github.com/barryvdh/laravel-translation-manager/commit/527446ed419f90f2319675fc5211cb8f851d7a1f", "source": "security-advisories@github.com"}, {"url": "https://github.com/barryvdh/laravel-translation-manager/pull/475", "source": "security-advisories@github.com"}, {"url": "https://github.com/barryvdh/laravel-translation-manager/releases/tag/v0.6.8", "source": "security-advisories@github.com"}, {"url": "https://github.com/barryvdh/laravel-translation-manager/security/advisories/GHSA-j226-63j7-qrqh", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Laravel Translation Manager is a package to manage Laravel translation files. Prior to version 0.6.8, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data. An attacker can inject arbitrary HTML code, including JavaScript scripts, into the page processed by the user's browser, allowing them to steal sensitive data, hijack user sessions, or conduct other malicious activities. Only authenticated users with access to the translation manager are impacted. The issue is fixed in version 0.6.8."}, {"lang": "es", "value": "Laravel Translation Manager es un paquete para gestionar los archivos de traducci\u00f3n de Laravel. Antes de la versi\u00f3n 0.6.8, la aplicaci\u00f3n era vulnerable a ataques de Cross-Site Scripting (XSS) debido a la validaci\u00f3n y el saneamiento incorrectos de los datos introducidos por el usuario. Un atacante puede inyectar c\u00f3digo HTML arbitrario, incluyendo scripts JavaScript, en la p\u00e1gina procesada por el navegador del usuario, lo que le permite robar datos confidenciales, secuestrar sesiones de usuario o realizar otras actividades maliciosas. Solo los usuarios autenticados con acceso al gestor de traducci\u00f3n se ven afectados. El problema se solucion\u00f3 en la versi\u00f3n 0.6.8."}], "lastModified": "2025-06-12T16:06:47.857", "sourceIdentifier": "security-advisories@github.com"}

JSON object

Attach tags to CVE-2025-49130

Attach tags to `CVE-2025-49130`