CVE-2017-16652

Name of the Vulnerable Software and Affected Versions Symfony versions 2.7.x through 2.7.37 Symfony versions 2.8.x through 2.8.30 Symfony versions 3.2.x through 3.2.13 Symfony versions 3.3.x through 3.3.12

Description The issue is related to the generation of a redirect response by the DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler components in the Symfony platform, without checking the target path parameter. This can allow a remote attacker to conduct phishing attacks and gain access to protected information by using a specially crafted URI. The vulnerability can be exploited to mount effective phishing attacks, as it allows for an open redirect to an external domain.

Recommendations For Symfony versions 2.7.x through 2.7.37, update to version 2.7.38 or later. For Symfony versions 2.8.x through 2.8.30, update to version 2.8.31 or later. For Symfony versions 3.2.x through 3.2.13, update to version 3.2.14 or later. For Symfony versions 3.3.x through 3.3.12, update to version 3.3.13 or later.