CVE-2024-50345Open Redirect in Symfony

CWE-601Open Redirect7 documents6 sources
Severity
6.1MEDIUMNVD
CNA3.1
EPSS
0.4%
top 39.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
SymfonySensiolabs SymfonySymfony Http-foundation
Timeline
PublishedNov 6
Latest updateFeb 18

Description

symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in v

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

Packagistsymfony/http-foundation6.0.06.4.14+2
CVEListV5symfony/symfony< 5.4.46+2
NVDsensiolabs/symfony6.0.06.4.14+2
Debiansymfony/symfony< 4.4.19+dfsg-2+deb11u7+3

🔴Vulnerability Details

4
CVEList
Open redirect via browser-sanitized URLs in symfony/http-foundation2024-11-06
OSV
CVE-2024-50345: symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification2024-11-06
OSV
Symfony vulnerable to open redirect via browser-sanitized URLs2024-11-06
GHSA
Symfony vulnerable to open redirect via browser-sanitized URLs2024-11-06

📋Vendor Advisories

2
Ubuntu
Symfony vulnerabilities2025-02-18
Debian
CVE-2024-50345: symfony - symfony/http-foundation is a module for the Symphony PHP framework which defines...2024
CVE-2024-50345 — Open Redirect in Symfony | cvebase