Lucene search

Symfony SASSYMFONY:CVE-2023-46735-POTENTIAL-XSS-IN-WEBHOOKCONTROLLER

HistoryNov 10, 2023 - 12:00 a.m.

CVE-2023-46735: Potential XSS in WebhookController

2023-11-1000:00:00

Symfony SAS

symfony.com

cve-2023-46735 symfonywebhookcomponent securityissue patchavailable usersubmittedinput unescapedresponse credittomaximeaknin credittonicolasgrekas.

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

Affected versions

Symfony versions >=6.3.0, <6.3.8 of the Symfony Webhook component are affected by this security issue.

The issue has been fixed in Symfony 6.3.8.

Description

The error message in WebhookController returns unescaped user-submitted input.

Resolution

WebhookController now doesn’t return any user-submitted input in its response.

The patch for this issue is available here for branch 6.3.

Credits

We would like to thank Maxime Aknin for reporting the issue and to Nicolas Grekas for providing the fix.

add a reaction ❤️ 👍 🚀

Published in #Security Advisories

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

Related for SYMFONY:CVE-2023-46735-POTENTIAL-XSS-IN-WEBHOOKCONTROLLER