6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7 High
AI Score
Confidence
Low
0.0005 Low
EPSS
Percentile
17.0%
The error message in WebhookController returns unescaped user-submitted input.
WebhookController now doesn’t return any user-submitted input in its response.
The patch for this issue is available here for branch 6.3.
We would like to thank Maxime Aknin for reporting the issue and to Nicolas Grekas for providing the fix.
CPE | Name | Operator | Version |
---|---|---|---|
symfony/symfony | lt | 6.3.8 | |
symfony/webhook | lt | 6.3.8 |
github.com/advisories/GHSA-72x2-5c85-6wmr
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46735.yaml
github.com/symfony/symfony/commit/8128c302430394f639e818a7103b3f6815d8d962
github.com/symfony/symfony/security/advisories/GHSA-72x2-5c85-6wmr
nvd.nist.gov/vuln/detail/CVE-2023-46735
symfony.com/cve-2023-46735
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7 High
AI Score
Confidence
Low
0.0005 Low
EPSS
Percentile
17.0%