FOSRestBundle issue with broken validation of JSONP callbacks

2024-05-1521:41:09

Google

osv.dev

fosrestbundle

jsonp validation

1.2.2

7.2 High

AI Score

Confidence

High

JSON

Starting with FOSRestBundle 1.2 we switched to using willdurand/jsonp-callback-validator for validation of JSONP callbacks. However the change was implemented incorrectly validating the callback query param name, rather than its value. Anyone using the JSONP handler (which is off by default) together with FOSRestBundle 1.2.0 or 1.2.1 should update to FOSRestBundle 1.2.2.

CPENameOperatorVersion
friendsofsymfony/rest-bundleeq1.2.0
friendsofsymfony/rest-bundleeq1.2.1

CPE	Name	Operator	Version
	friendsofsymfony/rest-bundle	eq	1.2.0
	friendsofsymfony/rest-bundle	eq	1.2.1

References

github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/rest-bundle/2014-01-22-1.yaml

github.com/FriendsOfSymfony/FOSRestBundle

github.com/FriendsOfSymfony/FOSRestBundle/commit/3dd7d40068360c23366fb4884c5d194c769ec2c1

symfony.com/blog/fosrestbundle-security-issue-with-jsonp-handler

7.2 High

AI Score

Confidence

High

JSON