GHSA-p9fg-j6ww-953m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p9fg-j6ww-953m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-p9fg-j6ww-953m/GHSA-p9fg-j6ww-953m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-p9fg-j6ww-953m
- Published
- 2024-05-15T21:41:09Z
- Modified
- 2024-11-29T05:30:34.898228Z
- Summary
- FOSRestBundle issue with broken validation of JSONP callbacks
- Details
-
Starting with FOSRestBundle 1.2 we switched to using willdurand/jsonp-callback-validator for validation of JSONP callbacks. However the change was implemented incorrectly validating the callback query param name, rather than its value. Anyone using the JSONP handler (which is off by default) together with FOSRestBundle 1.2.0 or 1.2.1 should update to FOSRestBundle 1.2.2.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-05-15T21:41:09Z" }- References
-
- https://github.com/FriendsOfSymfony/FOSRestBundle/commit/3dd7d40068360c23366fb4884c5d194c769ec2c1
- https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/rest-bundle/2014-01-22-1.yaml
- https://github.com/FriendsOfSymfony/FOSRestBundle
- https://symfony.com/blog/fosrestbundle-security-issue-with-jsonp-handler
Affected packages
Packagist / friendsofsymfony/rest-bundle
Package
- Name
- friendsofsymfony/rest-bundle
- Purl
- pkg:composer/friendsofsymfony/rest-bundle