CVE-2018-19790

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-19790

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-19790.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-19790

Aliases

GHSA-89r2-5g34-2g47

Downstream

DEBIAN-CVE-2018-19790

DLA-1707-1

DSA-4441-1

UBUNTU-CVE-2018-19790

Published

2018-12-18T22:29:05Z

Modified

2025-09-24T09:01:12.669845Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the _failure_path input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.

References

Affected packages

Git / github.com/symfony/security-http

Affected ranges

Type: GIT
Repo: https://github.com/symfony/security-http
Events: Introduced

de2f3d51160791ef254010953dbde178fee9845f

Fixed

2e117acf97b059a9da3444a11ea420f1ac7c31d8

Type: GIT
Repo: https://github.com/symfony/symfony
Events: Introduced

9975b1eca3de4db792a2c3e4e16f676a4aadcd46

Fixed

0848ce2c7f3c3ba6cece3f9457a96b176b05860c

Affected versions

v2.*

v2.3.30

v2.3.31

v2.3.32

v2.3.33

v2.3.34

v2.3.35

v2.3.36

v2.3.37

v2.3.38

v2.3.39

v2.3.40

v2.3.41

v2.3.42

v2.6.10

v2.6.11

v2.7.0

v2.7.1

v2.7.10

v2.7.11

v2.7.12

v2.7.13

v2.7.14

v2.7.15

v2.7.16

v2.7.17

v2.7.18

v2.7.19

v2.7.2

v2.7.20

v2.7.21

v2.7.22

v2.7.23

v2.7.24

v2.7.25

v2.7.26

v2.7.27

v2.7.28

v2.7.29

v2.7.3

v2.7.30

v2.7.31

v2.7.32

v2.7.33

v2.7.34

v2.7.35

v2.7.36

v2.7.37

v2.7.38

v2.7.39

v2.7.4

v2.7.40

v2.7.41

v2.7.42

v2.7.43

v2.7.44

v2.7.45

v2.7.46

v2.7.47

v2.7.48

v2.7.49

v2.7.5

v2.7.6

v2.7.7

v2.7.8

v2.7.9