CVE-2018-15133

Name of the Vulnerable Software and Affected Versions Laravel Framework versions 5.5.0 through 5.5.40 Laravel Framework versions 5.6.0 through 5.6.29

Description Remote code execution might occur due to an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This issue involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

Recommendations For Laravel Framework versions 5.5.0 through 5.5.40, update to a version later than 5.5.40 to resolve the issue. For Laravel Framework versions 5.6.0 through 5.6.29, update to a version later than 5.6.29 to resolve the issue. As a temporary workaround, consider restricting access to untrusted X-XSRF-TOKEN values until a patch is applied.