CVE-2023-46735 — Cross-site Scripting in Symfony

CWE-79 — Cross-site Scripting6 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

2.5%

top 14.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sensiolabs Symfony Symfony Symfony Webhook

Timeline

PublishedNov 10

Latest updateNov 12

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` returns unescaped user-submitted input. As of version 6.3.8, `WebhookController` now doesn't return any user-submitted input in its response.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶Packagistsymfony/symfony6.3.0 — 6.3.8

▶Packagistsymfony/webhook6.3.0 — 6.3.8

▶NVDsensiolabs/symfony6.0.0 — 6.3.8

▶CVEListV5symfony/symfony>= 6.3.0, < 6.3.8

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Symfony potential Cross-site Scripting in WebhookController↗2023-11-12

▶

OSV

Symfony potential Cross-site Scripting in WebhookController↗2023-11-12

▶

OSV

CVE-2023-46735: Symfony is a PHP framework for web and console applications and a set of reusable PHP components↗2023-11-10

▶

CVEList

Symfony potential Cross-site Scripting in WebhookController↗2023-11-10

▶

📋Vendor Advisories

Debian

CVE-2023-46735: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl...↗2023

▶