CVE-2017-18343

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-18343
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-18343.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-18343
Downstream
Published
2018-07-20T00:29:00.237Z
Modified
2026-04-10T03:58:09.895776Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar

References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
26c9a0dc464e0695831c989a86b1007fc0a2a11b
Introduced
5615b92cd452cd54f1433a3f53de87c096a1107f
Fixed
33553101754e0888a1a1fecc46d7a7f10f6f9580
Introduced
eb2a4f5f7a09fc4ce7a74ae883a8cf8a279614f5
Fixed
e1aabd6f50fb4586b330f9ac54b4bcdf7352a0f8
Introduced
5a7e31c48e7cd4831efa409fffb661beb9995174
Fixed
6f80cbd2dd89c5308b14e03d806356fac72c263e
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.7.33"
        },
        {
            "introduced": "2.8.0"
        },
        {
            "fixed": "2.8.26"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.2.13"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.3.6"
        }
    ]
}

Affected versions

v2.*
v2.0.0
v2.0.0-RC1
v2.0.0-RC2
v2.0.0-RC3
v2.0.0-RC4
v2.0.0-RC5
v2.0.0-RC6
v2.0.0BETA1
v2.0.0BETA2
v2.0.0BETA3
v2.0.0BETA4
v2.0.0BETA5
v2.0.0PR8
v2.1.0
v2.1.0-BETA1
v2.1.0-BETA2
v2.1.0-BETA3
v2.1.0-BETA4
v2.1.0-RC1
v2.1.0-RC2
v2.2.0-BETA1
v2.2.0-BETA2
v2.3.0-BETA1
v2.3.0-BETA2
v2.4.0-BETA1
v2.4.0-BETA2
v2.5.0-BETA1
v2.5.0-BETA2
v2.6.0-BETA1
v2.7.0
v2.7.0-BETA1
v2.7.0-BETA2
v2.7.1
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18
v2.7.19
v2.7.2
v2.7.20
v2.7.21
v2.7.22
v2.7.23
v2.7.24
v2.7.25
v2.7.26
v2.7.27
v2.7.28
v2.7.29
v2.7.3
v2.7.30
v2.7.31
v2.7.32
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v2.8.1
v2.8.10
v2.8.11
v2.8.12
v2.8.13
v2.8.14
v2.8.15
v2.8.16
v2.8.17
v2.8.18
v2.8.19
v2.8.2
v2.8.20
v2.8.21
v2.8.22
v2.8.23
v2.8.24
v2.8.25
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v3.*
v3.0.0
v3.2.0
v3.2.0-BETA1
v3.2.0-RC1
v3.2.0-RC2
v3.2.1
v3.2.10
v3.2.11
v3.2.12
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
Other
vPR3
vPR4
vPR5
vPR6
vPR8
vPR9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-18343.json"