Posted: 15-05-2017

Laravel 5.4.22 Is Now Released whit a Security Fix

Laravel 5.4.22 has been released with a security vulnerability fix related to the password reset system and everyone should upgrade.

Laravel 5.4.22 patches a security vulnerability in the Laravel 5.4 release series that allows phishing attempts on users of the application. Using the password reset system, malicious users can attempt to trick your users into entering their login credentials into a separate application that they control. Since the password reset notification uses the host of the incoming request to build the password reset URL, the host of the password reset URL may be spoofed. If users do not notice that they are not on their intended application's domain, they may accidentally enter their login credentials into a malicious application.

In Laravel 5.1 applications, the password reset notification is maintained by the developer, so this vulnerability may or may not be present. You should verify that your application generates an absolute URL for password reset links:

 

{{ url('http://example.com/password/reset/'.$token) }}