Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03MngyLTVjODUtNndtcs4AA3Cz
Symfony potential Cross-site Scripting in WebhookController
Description
The error message in WebhookController returns unescaped user-submitted input.
Resolution
WebhookController now doesn't return any user-submitted input in its response.
The patch for this issue is available here for branch 6.3.
Credits
We would like to thank Maxime Aknin for reporting the issue and to Nicolas Grekas for providing the fix.
Permalink: https://github.com/advisories/GHSA-72x2-5c85-6wmrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03MngyLTVjODUtNndtcs4AA3Cz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 16 days ago
Updated: 16 days ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-72x2-5c85-6wmr, CVE-2023-46735
References:
- https://github.com/symfony/symfony/security/advisories/GHSA-72x2-5c85-6wmr
- https://nvd.nist.gov/vuln/detail/CVE-2023-46735
- https://github.com/symfony/symfony/commit/8128c302430394f639e818a7103b3f6815d8d962
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46735.yaml
- https://symfony.com/cve-2023-46735
- https://github.com/advisories/GHSA-72x2-5c85-6wmr
Affected Packages
packagist:symfony/symfony
Versions: >= 6.3.0, < 6.3.8Fixed in: 6.3.8
packagist:symfony/webhook
Versions: >= 6.3.0, < 6.3.8Fixed in: 6.3.8