GoogleOSV:GHSA-72X2-5C85-6WMRSymfony potential Cross-site Scripting in WebhookController
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7 High
AI Score
Confidence
Low
0.0005 Low
EPSS
Percentile
17.0%
Description
The error message in WebhookController returns unescaped user-submitted input.
Resolution
WebhookController now doesn’t return any user-submitted input in its response.
The patch for this issue is available here for branch 6.3.
Credits
We would like to thank Maxime Aknin for reporting the issue and to Nicolas Grekas for providing the fix.
References
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46735.yaml
github.com/symfony/symfony
github.com/symfony/symfony/commit/8128c302430394f639e818a7103b3f6815d8d962
github.com/symfony/symfony/security/advisories/GHSA-72x2-5c85-6wmr
nvd.nist.gov/vuln/detail/CVE-2023-46735
symfony.com/cve-2023-46735
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7 High
AI Score
Confidence
Low
0.0005 Low
EPSS
Percentile
17.0%