PT-2023-7209 · Symfony+5 · Symfony+5

Rudloff

Published

2023-11-10

Updated

2025-03-14

CVE-2023-46734

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Symfony versions 2.0.0 through 4.4.50 Symfony versions 5.0.0 through 5.4.30 Symfony versions 6.0.0 through 6.3.7

Description The issue exists due to some Twig filters in CodeExtension using is safe=html but not ensuring their input is safe. This could allow a remote attacker to disclose protected information, perform phishing attacks, and conduct drive-by downloads. Symfony now escapes the output of the affected filters to resolve the issue.

Recommendations For Symfony versions 2.0.0 through 4.4.50, update to version 4.4.51 or later. For Symfony versions 5.0.0 through 5.4.30, update to version 5.4.31 or later. For Symfony versions 6.0.0 through 6.3.7, update to version 6.3.8 or later. As a temporary workaround, consider restricting the use of the affected Twig filters in CodeExtension until a patch is applied.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2024-1028

ALT-PU-2024-4537

ALT-PU-2024-4547

ALT-PU-2024-4961

ALT-PU-2025-4212

BDU:2023-08237

BIT-SYMFONY-2023-46734

CVE-2023-46734

DLA-3664-1

GHSA-Q847-2Q57-WMR3

USN-7272-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Red Os

Symfony

Ubuntu

PT-2023-7209 · Symfony+5 · Symfony+5

CVE-2023-46734

Weakness Enumeration

Related Identifiers

Affected Products

References · 37