CVE-2018-19790

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-19790

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-19790.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-19790

Aliases

GHSA-89r2-5g34-2g47

Related

Published

2018-12-18T22:29:05Z

Modified

2024-09-18T02:59:41.304207Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the _failure_path input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.

References

Affected packages

Debian:11 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.20+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.20+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.20+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/symfony/security-http

Affected ranges

Type: GIT
Repo: https://github.com/symfony/security-http
Events: Introduced

946668ddc1fa0279fe03e2c090ebc29881f12ddb

Fixed

f56f12f983148be8739112509fa8578bca3b81de

Type: GIT
Repo: https://github.com/symfony/symfony
Events: Introduced

58261043876feb695640457c5675bb331a6eb3b7

Fixed

9993cdc7e9358e57a9c09d636fbe92ed9e797315

Affected versions

v2.*

v2.7.48

v2.7.49

v2.7.50

v2.8.42

v2.8.43

v2.8.44

v2.8.45

v2.8.46

v2.8.47

v2.8.48

v2.8.49

v3.*

v3.4.12

v3.4.13

v3.4.14

v3.4.15

v3.4.16

v3.4.17

v3.4.18

v3.4.19

v3.4.20

v4.*

v4.0.12

v4.0.13

v4.0.14

v4.1.0

v4.1.0-BETA3

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.1.7

v4.1.8