Skip to content

Fix CVE-2025-71177: Stored XSS via unescaped title/name fields #116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nielskaspers wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix CVE-2025-71177: Stored XSS via unescaped title/name fields #116

nielskaspers wants to merge 1 commit into from

Conversation

@nielskaspers
Copy link

@nielskaspers nielskaspers commented Jan 28, 2026

Summary

  • Fixes stored XSS vulnerability in multiple Blade templates
  • Changes unescaped output {!! !!} to escaped output {{ }} for user-controllable fields

Details

Multiple Blade templates rendered user-controllable data (title, name fields) using unescaped Blade output {!! !!}. This allows stored XSS attacks where:

  1. Attacker creates content with malicious script in name/title field
  2. Script gets stored in database
  3. When anyone views the content (show page, edit page, search results), script executes

Example Attack Vector

  1. Create a package with name: <script>alert('xss')</script>
  2. Search for "package"
  3. XSS triggers when search results display

Fix

Replace {!! $data['title'] !!} and similar patterns with {{ $data['title'] }} to ensure HTML entities are properly escaped by Laravel's Blade engine.

Affected Files (19 total)

  • Master module: show.blade.php, edit.blade.php
  • Menu module: show.blade.php, edit.blade.php, nestable.blade.php
  • Notification module: show.blade.php, edit.blade.php
  • Role/Permission modules: show.blade.php, edit.blade.php
  • Setting module: edit.blade.php
  • Team module: show.blade.php, edit.blade.php
  • User/Client modules: show.blade.php, edit.blade.php

Test plan

  • Verify content with special characters displays correctly (escaped)
  • Verify <script> tags in title/name fields are escaped, not executed
  • Test all affected show/edit views render properly

Fixes: LavaLite/cms#420
CVE: CVE-2025-71177
@nielskaspers @claude
Fix CVE-2025-71177: Stored XSS in title/name fields
aae9f50 
Multiple Blade templates were rendering user-controllable data
(title, name fields) using unescaped output {!! !!} which allows
stored XSS attacks.

When users input malicious scripts in name/title fields (e.g.,
<script>alert('xss')</script>), the script executes when the
content is displayed in show/edit views or search results.

Fix: Replace {!! $data['title'] !!} and similar patterns with
{{ $data['title'] }} to ensure HTML entities are properly escaped.

Affected components:
- Master module (show, edit views)
- Menu module (show, edit, nestable views)
- Notification module (show, edit views)
- Role/Permission modules (show, edit views)
- Setting module (edit view)
- Team module (show, edit views)
- User/Client modules (show, edit views)

Fixes: LavaLite/cms#420
CVE: CVE-2025-71177

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 28, 2026

Quality Gate Passed Quality Gate passed

Issues
8 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@nielskaspers