CVE-2018-19790 – symfony/security

Package

Manager: composer
Name: symfony/security
Vulnerable Version: >=2.7.38 <2.7.50 || >=2.8.0 <2.8.49 || >=3.0.0 <3.4.19 || >=4.0.0 <4.0.15 || >=4.1.0 <4.1.9 || >=4.2.0 <4.2.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00474 pctl0.63816

Details

Symfony Open Redirect An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.

Metadata

Created: 2022-05-14T01:04:20Z
Modified: 2024-04-25T22:12:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-89r2-5g34-2g47/GHSA-89r2-5g34-2g47.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-89r2-5g34-2g47
Finding: F156
Auto approve: 1