Описание
Symfony potential Cross-site Scripting in WebhookController
Description
The error message in WebhookController returns unescaped user-submitted input.
Resolution
WebhookController now doesn't return any user-submitted input in its response.
The patch for this issue is available here for branch 6.3.
Credits
We would like to thank Maxime Aknin for reporting the issue and to Nicolas Grekas for providing the fix.
Ссылки
- https://github.com/symfony/symfony/security/advisories/GHSA-72x2-5c85-6wmr
- https://nvd.nist.gov/vuln/detail/CVE-2023-46735
- https://github.com/symfony/symfony/commit/8128c302430394f639e818a7103b3f6815d8d962
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46735.yaml
- https://symfony.com/cve-2023-46735
Пакеты
symfony/webhook
>= 6.3.0, < 6.3.8
6.3.8
symfony/symfony
>= 6.3.0, < 6.3.8
6.3.8
Связанные уязвимости
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` returns unescaped user-submitted input. As of version 6.3.8, `WebhookController` now doesn't return any user-submitted input in its response.
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` returns unescaped user-submitted input. As of version 6.3.8, `WebhookController` now doesn't return any user-submitted input in its response.
Symfony is a PHP framework for web and console applications and a set ...