CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
20.4%
Some Twig filters in CodeExtension use “is_safe=html” but don’t actually ensure their input is safe.
Symfony now escapes the output of the affected filters.
The patch for this issue is available here for branch 4.4.
We would like to thank Pierre Rudloff for reporting the issue and to Nicolas Grekas for providing the fix.
github.com/advisories/GHSA-q847-2q57-wmr3
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46734.yaml
github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54
github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c
github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3
lists.debian.org/debian-lts-announce/2023/11/msg00019.html
nvd.nist.gov/vuln/detail/CVE-2023-46734
symfony.com/cve-2023-46734
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
20.4%