From aae9f50cad16b7ae5096d4958e76624af25030af Mon Sep 17 00:00:00 2001 From: Niels Kaspers Date: Wed, 28 Jan 2026 14:27:05 +0200 Subject: [PATCH] Fix CVE-2025-71177: Stored XSS in title/name fields Multiple Blade templates were rendering user-controllable data (title, name fields) using unescaped output {!! !!} which allows stored XSS attacks. When users input malicious scripts in name/title fields (e.g., ), the script executes when the content is displayed in show/edit views or search results. Fix: Replace {!! $data['title'] !!} and similar patterns with {{ $data['title'] }} to ensure HTML entities are properly escaped. Affected components: - Master module (show, edit views) - Menu module (show, edit, nestable views) - Notification module (show, edit views) - Role/Permission modules (show, edit views) - Setting module (edit view) - Team module (show, edit views) - User/Client modules (show, edit views) Fixes: https://github.com/LavaLite/cms/issues/420 CVE: CVE-2025-71177 Co-Authored-By: Claude Opus 4.5 --- src/Litepie/Master/resources/views/master/edit.blade.php | 2 +- src/Litepie/Master/resources/views/master/show.blade.php | 2 +- src/Litepie/Menu/resources/views/admin/edit.blade.php | 2 +- .../Menu/resources/views/admin/menu/nestable.blade.php | 4 ++-- .../Menu/resources/views/admin/menu/sub/nestable.blade.php | 4 ++-- src/Litepie/Menu/resources/views/admin/show.blade.php | 2 +- .../resources/views/default/notification/edit.blade.php | 2 +- .../resources/views/default/notification/show.blade.php | 2 +- .../Role/resources/views/default/permission/edit.blade.php | 2 +- .../Role/resources/views/default/permission/show.blade.php | 2 +- src/Litepie/Role/resources/views/default/role/edit.blade.php | 2 +- src/Litepie/Role/resources/views/default/role/show.blade.php | 2 +- src/Litepie/Setting/resources/views/edit.blade.php | 2 +- src/Litepie/Team/resources/views/edit.blade.php | 2 +- src/Litepie/Team/resources/views/show.blade.php | 2 +- src/Litepie/User/resources/views/client/edit.blade.php | 2 +- src/Litepie/User/resources/views/client/show.blade.php | 2 +- src/Litepie/User/resources/views/user/edit.blade.php | 2 +- src/Litepie/User/resources/views/user/show.blade.php | 2 +- 19 files changed, 21 insertions(+), 21 deletions(-) diff --git a/src/Litepie/Master/resources/views/master/edit.blade.php b/src/Litepie/Master/resources/views/master/edit.blade.php index 07550fdd..f8afa9cc 100644 --- a/src/Litepie/Master/resources/views/master/edit.blade.php +++ b/src/Litepie/Master/resources/views/master/edit.blade.php @@ -2,7 +2,7 @@
-

{!!__('Edit')!!} {!!$data['title']!!}

+

{!!__('Edit')!!} {{ $data['title'] }}

@@ -28,7 +28,7 @@ - {!!$menu->name!!} + {{ $menu->name }}
diff --git a/src/Litepie/Menu/resources/views/admin/menu/sub/nestable.blade.php b/src/Litepie/Menu/resources/views/admin/menu/sub/nestable.blade.php index 2756c0bb..adb6ca30 100644 --- a/src/Litepie/Menu/resources/views/admin/menu/sub/nestable.blade.php +++ b/src/Litepie/Menu/resources/views/admin/menu/sub/nestable.blade.php @@ -7,7 +7,7 @@ - {!!$menu->name!!} + {{ $menu->name }}
@@ -27,7 +27,7 @@ - {!!$menu->name!!} + {{ $menu->name }}
diff --git a/src/Litepie/Menu/resources/views/admin/show.blade.php b/src/Litepie/Menu/resources/views/admin/show.blade.php index 9ad0a722..270cc336 100644 --- a/src/Litepie/Menu/resources/views/admin/show.blade.php +++ b/src/Litepie/Menu/resources/views/admin/show.blade.php @@ -5,7 +5,7 @@
-

{!!$menu->name!!}

+

{{ $menu->name }}