Name of the Vulnerable Software and Affected Versions Laravel (affected versions not specified)

Description The issue concerns applications that use the "cookie" session driver and expose an encryption oracle, allowing for remote code execution. An encryption oracle is a mechanism where arbitrary user input is encrypted and the encrypted string is later displayed or exposed to the user. This combination of scenarios lets the user generate valid Laravel signed encryption strings for any plain-text string, thus allowing them to craft Laravel session payloads.

Recommendations For applications using the "cookie" session driver, consider disabling the exposure of encryption oracles to minimize the risk of exploitation. Restrict access to sensitive areas of the application where user input is encrypted and displayed to prevent crafting of Laravel session payloads. At the moment, there is no information about a newer version that contains a fix for this vulnerability.