Closed therecluse26 closed 2 years ago
jdavidbakr
commented
2 years ago Can you give a little more info about how this exploit is used? The hash is used to retrieve the SentEmail model and is escaped through the Laravel Eloquent process, so I'm unclear on where it's able to be executed. When I use that query string extension I get a proper redirect to google.com.
therecluse26
commented
2 years ago @jdavidbakr Honestly, I have no idea, I'm just forwarding what the security audit revealed, they didn't really give a lot more detail. It might be a nothing burger, but figured you might want to look into it regardless.
jdavidbakr
commented
2 years ago I would love to fix it but have no idea how it's able to be exploited. I'll close this ticket for now but please add to it if you find out any more information.
Hi, my company had a code audit recently done by a third party agency and they revealed a potential security issue with your package, just FYI. Below is the example they gave of this potential exploit.
If you inject code into this parameter, it can be used to execute arbitrary code:
https://example.site/email/n?l=https://google.com&h=%3Ch1%3ETest%3C/h1%3E2