CVE-2023-46734

2023-11-1018:15:09

Debian Security Bug Tracker

security-tracker.debian.org

symfony

php

framework

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

20.4%

JSON

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use is_safe=html but don’t actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.

OSVersionArchitecturePackageVersionFilename
Debian12allsymfony< 5.4.23+dfsg-1+deb12u1symfony_5.4.23+dfsg-1+deb12u1_all.deb
Debian11allsymfony< 4.4.19+dfsg-2+deb11u4symfony_4.4.19+dfsg-2+deb11u4_all.deb
Debian999allsymfony< 5.4.31+dfsg-1symfony_5.4.31+dfsg-1_all.deb
Debian13allsymfony< 5.4.31+dfsg-1symfony_5.4.31+dfsg-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	symfony	< 5.4.23+dfsg-1+deb12u1	symfony_5.4.23+dfsg-1+deb12u1_all.deb
Debian	11	all	symfony	< 4.4.19+dfsg-2+deb11u4	symfony_4.4.19+dfsg-2+deb11u4_all.deb
Debian	999	all	symfony	< 5.4.31+dfsg-1	symfony_5.4.31+dfsg-1_all.deb
Debian	13	all	symfony	< 5.4.31+dfsg-1	symfony_5.4.31+dfsg-1_all.deb