CVE-2013-4752 — Cross-site Scripting in Symfony

CWE-79 — Cross-site Scripting7 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.9%

top 23.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sensiolabs Symfony Symfony Http-foundation Symfony +1 more

Timeline

PublishedJan 2

Latest updateMay 5

Description

Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶Packagistsymfony/symfony2.0.0 — 2.0.24+3

▶NVDsensiolabs/symfony2.0.0 — 2.0.24+3

▶Packagistsymfony/http-foundation2.0.0 — 2.0.24+3

Also affects: Fedora 18, 19

Patches

Patch: symfony.com ↗Patch: bugzilla.redhat.com ↗Patch: symfony.com ↗

🔴Vulnerability Details

OSV

Symfony Host Header Injection vulnerability in the HttpFoundation component↗2022-05-05

▶

GHSA

Symfony Host Header Injection vulnerability in the HttpFoundation component↗2022-05-05

▶

CVEList

CVE-2013-4752: Symfony 2↗2020-01-02

▶

💬Community

Bugzilla

CVE-2013-4752 php-symfony2-HttpFoundation: Request::getHost() poisioning↗2013-08-09

▶

Bugzilla

CVE-2013-4752 php-symfony2-HttpFoundation: Request::getHost() poisioning [fedora-all]↗2013-08-09

▶

Bugzilla

CVE-2013-4752 php-symfony2-HttpFoundation: Request::getHost() poisioning [epel-6]↗2013-08-09

▶