Uncontrolled external site redirect In symfony
Description
Symfony Open Redirect
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the _failure_path input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 debian 12 | 3.4.20+dfsg-1 | ||
 packagist | 2.7.50, 2.8.49, 3.4.20, 4.0.15, 4.1.9 | ||
packagist | 2.7.50, 2.8.49, 3.4.20, 4.0.15, 4.1.9, 4.2.1 | ||
packagist | 2.7.50, 2.8.49, 3.4.19, 4.0.15, 4.1.9, 4.2.1 | ||
debian 11 | 3.4.20+dfsg-1 | ||
debian 13 | 3.4.20+dfsg-1 | ||
debian 14 | 3.4.20+dfsg-1 |
Aliases
1. 2. 3. 4. 5. 6. 7.
References
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16.