GHSA-72x2-5c85-6wmr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-72x2-5c85-6wmr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-72x2-5c85-6wmr/GHSA-72x2-5c85-6wmr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-72x2-5c85-6wmr
- Aliases
- Published
- 2023-11-12T15:53:29Z
- Modified
- 2024-11-04T21:21:59.898471Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Symfony potential Cross-site Scripting in WebhookController
- Details
-
Description
The error message in WebhookController returns unescaped user-submitted input.
Resolution
WebhookController now doesn't return any user-submitted input in its response.
The patch for this issue is available here for branch 6.3.
Credits
We would like to thank Maxime Aknin for reporting the issue and to Nicolas Grekas for providing the fix.
- Database specific
{ "nvd_published_at": "2023-11-10T18:15:09Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-11-12T15:53:29Z" }- References
-
- https://github.com/symfony/symfony/security/advisories/GHSA-72x2-5c85-6wmr
- https://nvd.nist.gov/vuln/detail/CVE-2023-46735
- https://github.com/symfony/symfony/commit/8128c302430394f639e818a7103b3f6815d8d962
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46735.yaml
- https://github.com/symfony/symfony
- https://symfony.com/cve-2023-46735
Affected packages
Packagist / symfony/webhook
Package
- Name
- symfony/webhook
- Purl
- pkg:composer/symfony/webhook
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony