Skip to content

Fix CVE-2025-71177: Stored XSS via unescaped title/name fields#116

Open
nielskaspers wants to merge 1 commit intoLavaLite:masterfrom
nielskaspers:fix/CVE-2025-71177-stored-xss
Open

Fix CVE-2025-71177: Stored XSS via unescaped title/name fields#116
nielskaspers wants to merge 1 commit intoLavaLite:masterfrom
nielskaspers:fix/CVE-2025-71177-stored-xss

Conversation

@nielskaspers
Copy link

@nielskaspers nielskaspers commented Jan 28, 2026

Summary

  • Fixes stored XSS vulnerability in multiple Blade templates
  • Changes unescaped output {!! !!} to escaped output {{ }} for user-controllable fields

Details

Multiple Blade templates rendered user-controllable data (title, name fields) using unescaped Blade output {!! !!}. This allows stored XSS attacks where:

  1. Attacker creates content with malicious script in name/title field
  2. Script gets stored in database
  3. When anyone views the content (show page, edit page, search results), script executes

Example Attack Vector

  1. Create a package with name: <script>alert('xss')</script>
  2. Search for "package"
  3. XSS triggers when search results display

Fix

Replace {!! $data['title'] !!} and similar patterns with {{ $data['title'] }} to ensure HTML entities are properly escaped by Laravel's Blade engine.

Affected Files (19 total)

  • Master module: show.blade.php, edit.blade.php
  • Menu module: show.blade.php, edit.blade.php, nestable.blade.php
  • Notification module: show.blade.php, edit.blade.php
  • Role/Permission modules: show.blade.php, edit.blade.php
  • Setting module: edit.blade.php
  • Team module: show.blade.php, edit.blade.php
  • User/Client modules: show.blade.php, edit.blade.php

Test plan

  • Verify content with special characters displays correctly (escaped)
  • Verify <script> tags in title/name fields are escaped, not executed
  • Test all affected show/edit views render properly

Fixes: LavaLite/cms#420
CVE: CVE-2025-71177

@nielskaspers @claude
Fix CVE-2025-71177: Stored XSS in title/name fields
aae9f50 
Multiple Blade templates were rendering user-controllable data
(title, name fields) using unescaped output {!! !!} which allows
stored XSS attacks.

When users input malicious scripts in name/title fields (e.g.,
<script>alert('xss')</script>), the script executes when the
content is displayed in show/edit views or search results.

Fix: Replace {!! $data['title'] !!} and similar patterns with
{{ $data['title'] }} to ensure HTML entities are properly escaped.

Affected components:
- Master module (show, edit views)
- Menu module (show, edit, nestable views)
- Notification module (show, edit views)
- Role/Permission modules (show, edit views)
- Setting module (edit view)
- Team module (show, edit views)
- User/Client modules (show, edit views)

Fixes: LavaLite/cms#420
CVE: CVE-2025-71177

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 28, 2026

Quality Gate Passed Quality Gate passed

Issues
8 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

A stored XSS

1 participant

@nielskaspers