CVE-2024-13918: 
PHP vulnerability analysis and mitigation

The Laravel framework versions between 11.9.0 and 11.35.1 are affected by a reflected cross-site scripting vulnerability (CVE-2024-13918). The vulnerability was discovered in November 2024 and publicly disclosed on March 10, 2025. The issue stems from improper encoding of request parameters in the debug-mode error page (SBA Research, NVD).

The vulnerability occurs when debug mode is active (APPDEBUG=true) and the web application returns an error (HTTP status 5XX). The error page displays request information without proper encoding, specifically in the template engine where HTML-encoding is deactivated for data passed via {!! !!} tags. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N ([SBA Research](https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01LaravelReflectedXSSviaRequestParameterinDebug-ModeError_Page)).

This vulnerability enables attackers to execute arbitrary JavaScript code in a user's browser within the origin of the affected web application. The exploitation requires the user to access an attacker-provided link and the web application must be running in debug mode (Security Online).

The vulnerability has been fixed in Laravel version 11.36.0. Organizations are advised to upgrade to this version or later. If immediate upgrading is not possible, a temporary workaround is to disable debug mode by setting APPDEBUG=false in the application's configuration ([SBA Research](https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01LaravelReflectedXSSviaRequestParameterinDebug-ModeError_Page)).