Skip to content

Commit 8c1fae2

Browse files
1 parent 43b6a5a commit 8c1fae2

1 file changed

Lines changed: 99 additions & 0 deletions

File tree

Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-m8xx-3x29-84h8",
4+
"modified": "2026-06-03T20:25:50Z",
5+
"published": "2026-06-03T20:25:50Z",
6+
"aliases": [
7+
"CVE-2022-31114"
8+
],
9+
"summary": "backpack/crud is vulnerable to Cross-Site Scripting (XSS)",
10+
"details": "### Impact\n\nIt’s a “*moderate*” vulnerability… but being an admin panel, we take this seriously. It’s difficult… but an attacker could conduct a targeted phishing campaign, in order to **trick your users or admins to click a malicious link, which under very specific circumstances could give them information... or even admin access**. It’s *unlikely*, but that’s not good enough in admin panels - we should make it *impossible*. That’s why we’re bothering you with this. \n\n### Patches\n\n\nIf you don’t have custom error views, the views provided by Backpack would output the exception message *without escaping it*, which made an attack possible using Reflected XSS, in some very specific circumstances (that we will not disclose). **To fix those error views in Backpack 4.x and 5.x, please run**:\n\n```bash\ncomposer update backpack/crud\nphp artisan backpack:fix\n```\n\nThe problem has been patched in:\n- v4.0.63\n- v4.1.69\n- v5.0.13\n\n> **IMPORTANT! Running a `composer update` should get you the patched version, but you also need to run `php artisan backpack:fix` afterwards, to patch your published error views, if necessary.**\n\n### Workarounds\n\nAlternatively (if you don’t want to run `composer update`), you can manually look inside your error views in “*resources/views/errors*” and output `e($exception->getMessage())` instead of `$exception->getMessage()`. That’s all there is to the fix, really.\n\n### What we've done about this\n\nWe’ve acted as soon as our team found it (last week of March 2022):\n- We’ve pushed patches to 5.x, 4.1 and 4.0;\n- We’ve made it easy to apply the fix to existing projects, using a new `php artisan backpack:fix` command;\n- We’ve kept the specific circumstances a secret; as far as we know, only our team knows about the niche case where this exploit is possible;\n- We’ve emailed all our licensed users, to have a chance to fix their projects before it’s public;\n- We've sent an email blast to our 25.000+ strong Security Newsletter;\n- We've made this public with a blog post and soon a CVE, after our community has had a reasonable chance to fix their projects;\n- We will continue to monitor this and remind paying users to apply this fix if they haven’t;\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [backpack/crud](https://github.com/laravel-backpack/crud)\n* Email us at [hello@backpackforlaravel.com](mailto:hello@backpackforlaravel.com)\n\n---\n\nPS. You can [read this blog post](https://backpackforlaravel.com/articles/news/we-recommend-you-fix-this-vulnerability) for more information.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "backpack/crud"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "5.0.0"
29+
},
30+
{
31+
"fixed": "5.0.13"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "backpack/crud"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "4.1.0"
48+
},
49+
{
50+
"fixed": "4.1.69"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Packagist",
59+
"name": "backpack/crud"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "0"
67+
},
68+
{
69+
"fixed": "4.0.63"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "WEB",
79+
"url": "https://github.com/Laravel-Backpack/CRUD/security/advisories/GHSA-m8xx-3x29-84h8"
80+
},
81+
{
82+
"type": "ADVISORY",
83+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31114"
84+
},
85+
{
86+
"type": "PACKAGE",
87+
"url": "https://github.com/Laravel-Backpack/CRUD"
88+
}
89+
],
90+
"database_specific": {
91+
"cwe_ids": [
92+
"CWE-79"
93+
],
94+
"severity": "MODERATE",
95+
"github_reviewed": true,
96+
"github_reviewed_at": "2026-06-03T20:25:50Z",
97+
"nvd_published_at": "2026-06-03T16:16:18Z"
98+
}
99+
}

0 commit comments

Comments
 (0)