PT-2023-7209 · Symfony+5 · Symfony+5

Rudloff

Publicado

2023-11-10

Atualizado

2025-03-14

CVE-2023-46734

CVSS v2.0

6.4

Média

Vetor

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Symfony versions 2.0.0 through 4.4.50 Symfony versions 5.0.0 through 5.4.30 Symfony versions 6.0.0 through 6.3.7

Description The issue exists due to some Twig filters in CodeExtension using is safe=html but not ensuring their input is safe. This could allow a remote attacker to disclose protected information, perform phishing attacks, and conduct drive-by downloads. Symfony now escapes the output of the affected filters to resolve the issue.

Recommendations For Symfony versions 2.0.0 through 4.4.50, update to version 4.4.51 or later. For Symfony versions 5.0.0 through 5.4.30, update to version 5.4.31 or later. For Symfony versions 6.0.0 through 6.3.7, update to version 6.3.8 or later. As a temporary workaround, consider restricting the use of the affected Twig filters in CodeExtension until a patch is applied.

Exploit

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

ALT-PU-2024-1028

ALT-PU-2024-4537

ALT-PU-2024-4547

ALT-PU-2024-4961

ALT-PU-2025-4212

BDU:2023-08237

BIT-SYMFONY-2023-46734

CVE-2023-46734

DLA-3664-1

GHSA-Q847-2Q57-WMR3

USN-7272-1

Produtos afetados

Alt Linux

Astra Linux

Linuxmint

Red Os

Symfony

Ubuntu

PT-2023-7209 · Symfony+5 · Symfony+5

CVE-2023-46734

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 37