Symfony Debug version(s) affected: 2.8.*|3.0.*

Injection Technical Details

URL: http://{domain}/{laravel_path}/_debugbar/open?op=get&id=om3rcitak&<scRipt>alert(21)<%2fscRipt>=om3rcitak
Parameter Type: Parameter Name
Attack Pattern: <scRipt>alert(21)<%2fscRipt>

Repro

$ composer create-project --prefer-dist laravel/laravel:5.2.*
$ cd laravel
$ composer require barryvdh/laravel-debugbar:~2.4
$ php artisan vendor:publish --provider="Barryvdh\Debugbar\ServiceProvider"
$ php artisan serve

and visit: http://{domain}/{laravel_path}/_debugbar/open?op=get&id=om3rcitak&<scRipt>alert(21)<%2fscRipt>=om3rcitak

Possible Solution

Actually your fix this vulnerability 4.* version but laravel 5.2.* using symfony/debug 2.8.|3.0.. Your should be same fix for 2.8.|3.0. versions.

I send pull-request for fix this vulnerability: symfony/debug@e48bda2

Notes: I am testing laravel-debugger latest version (2.4) for Laravel 5.2.*. This vulnerability not effected Laravel >= 5.3 or laravel-debugger >=3.0 because Laravel using different error page template for version 5.2 and 5.3.