CVE-2023-46734Cross-site Scripting in Symfony

CWE-79Cross-site Scripting8 documents6 sources
Severity
6.1MEDIUMNVD
EPSS
2.1%
top 15.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
SymfonySensiolabs SymfonySensiolabs Twig+1 more
Timeline
PublishedNov 10
Latest updateFeb 18

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages6 packages

Packagistsymfony/twig-bridge2.0.04.4.51+2
Packagistsymfony/symfony2.0.04.4.51+2
NVDsensiolabs/symfony2.0.04.4.51+2
Debiansymfony/symfony< 4.4.19+dfsg-2+deb11u4+3
CVEListV5symfony/symfony>= 2.0.0, < 4.4.51, >= 5.0.0, < 5.4.31, >= 6.0.0, < 6.3.8+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
symfony vulnerabilities2025-02-18
GHSA
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters2023-11-12
OSV
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters2023-11-12
OSV
CVE-2023-46734: Symfony is a PHP framework for web and console applications and a set of reusable PHP components2023-11-10
CVEList
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters2023-11-10

📋Vendor Advisories

2
Ubuntu
Symfony vulnerabilities2025-02-18
Debian
CVE-2023-46734: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl...2023
CVE-2023-46734 — Cross-site Scripting in Symfony | cvebase