GHSA-p9fg-j6ww-953m – friendsofsymfony/rest-bundle

Package

Manager: composer
Name: friendsofsymfony/rest-bundle
Vulnerable Version: >=1.2.0 <1.2.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

FOSRestBundle issue with broken validation of JSONP callbacks Starting with FOSRestBundle 1.2 we [switched](https://github.com/FriendsOfSymfony/FOSRestBundle/pull/642/files#diff-431bc57ca9ca16332c0cff43ad45263cR37) to using [willdurand/jsonp-callback-validator](https://github.com/willdurand/JsonpCallbackValidator) for validation of JSONP callbacks. However [the change was implemented](https://github.com/FriendsOfSymfony/FOSRestBundle/pull/665) incorrectly validating the callback query param name, rather than its value. Anyone using the JSONP handler (which is off by default) together with FOSRestBundle 1.2.0 or 1.2.1 should update to FOSRestBundle [1.2.2](https://github.com/FriendsOfSymfony/FOSRestBundle/releases/tag/1.2.2).

Metadata

Created: 2024-05-15T21:41:09Z
Modified: 2024-05-15T21:41:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-p9fg-j6ww-953m/GHSA-p9fg-j6ww-953m.json
CWE IDs: []
Alternative ID: N/A
Finding: F184
Auto approve: 1