CVE-2022-31114: backpack/crud Vulnerable to Cross-site Scripting
backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.69, and 4.0.63 are vulnerable to cross-site scripting. An attacker could conduct a targeted phishing campaign, in order to trick users or admins into clicking a malicious link, which under very specific circumstances could give them information or possibly admin access. Versions 5.0.13, 4.1.69, and 4.0.63 patch the issue. As a workaround, manually look inside error views in `resources/views/errors` and output `e($exception->getMessage())` instead of `$exception->getMessage()`.
Security readout for executives and security teams
Plain-English summary
CVE-2022-31114 is a cross-site scripting flaw in Laravel-Backpack CRUD. A targeted phishing link could make an admin or user load malicious content, which may expose information or possibly lead to admin access under specific conditions. Public sources identify patched versions for supported branches.
Executive priority
Treat as a near-term remediation for internet-facing or widely used admin panels. It is not confirmed exploited, but phishing-driven admin compromise can create business risk if vulnerable versions remain deployed.
Technical view
The issue is CWE-79 XSS in backpack/crud error handling. Affected versions are before 5.0.13, 4.1.69, and 4.0.63. The advisory workaround is to escape exception messages in resources/views/errors using e($exception->getMessage()) instead of outputting $exception->getMessage() directly.
Likely exposure
Exposure is limited to applications using Laravel-Backpack CRUD in the affected version ranges, especially custom admin panels reachable by users or administrators. The attack requires user interaction through a malicious link and specific circumstances.
Exploitation context
The source describes targeted phishing as the likely path. The CVE is not listed as KEV in the provided data, and no cited source confirms active exploitation. The impact is scoped but meaningful because admin-panel sessions can be high value.
Researcher notes
Assessment is based on the CVE record and GitHub advisory only. Public data does not provide exploit details or evidence of exploitation. Focus validation on dependency versioning and customized Laravel error views that render exception messages.
Mitigation direction
Upgrade backpack/crud to 5.0.13, 4.1.69, or 4.0.63 as appropriate.
If unable to upgrade, apply the advisory workaround in resources/views/errors.
Ensure exception messages are escaped before rendering in error views.
Review vendor advisory for branch-specific guidance before changing production systems.
Validation and detection
Inventory applications using Laravel-Backpack CRUD.
Check installed backpack/crud versions against the affected ranges.
Inspect resources/views/errors for unescaped exception message output.
Confirm upgraded versions are deployed in production and staging.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.