Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xODQ3LTJxNTctd21yM84AA3Cy
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters
Description
Some Twig filters in CodeExtension use "is_safe=html" but don't actually ensure their input is safe.
Resolution
Symfony now escapes the output of the affected filters.
The patch for this issue is available here for branch 4.4.
Credits
We would like to thank Pierre Rudloff for reporting the issue and to Nicolas Grekas for providing the fix.
Permalink: https://github.com/advisories/GHSA-q847-2q57-wmr3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xODQ3LTJxNTctd21yM84AA3Cy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 16 days ago
Updated: 16 days ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-q847-2q57-wmr3, CVE-2023-46734
References:
- https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3
- https://nvd.nist.gov/vuln/detail/CVE-2023-46734
- https://github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54
- https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46734.yaml
- https://symfony.com/cve-2023-46734
- https://github.com/advisories/GHSA-q847-2q57-wmr3
Affected Packages
packagist:symfony/symfony
Versions: >= 6.0.0, < 6.3.8, >= 5.0.0, < 5.4.31, >= 2.0.0, < 4.4.51Fixed in: 6.3.8, 5.4.31, 4.4.51
packagist:symfony/twig-bridge
Versions: >= 6.0.0, < 6.3.8, >= 5.0.0, < 5.4.31, >= 2.0.0, < 4.4.51Fixed in: 6.3.8, 5.4.31, 4.4.51