Описание
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the _failure_path input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | end of standard support, was needed |
| cosmic | ignored | end of life |
| devel | not-affected | 3.4.20+dfsg-1 |
| disco | not-affected | 3.4.20+dfsg-1 |
| eoan | not-affected | 3.4.20+dfsg-1 |
| esm-apps/bionic | needed | |
| esm-apps/focal | not-affected | 3.4.20+dfsg-1 |
| esm-apps/jammy | not-affected | 3.4.20+dfsg-1 |
| esm-apps/noble | not-affected | 3.4.20+dfsg-1 |
| esm-apps/xenial | needed |
Показывать по
EPSS
5.8 Medium
CVSS2
6.1 Medium
CVSS3
Связанные уязвимости
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x ...
Уязвимость поля ввода данных аутентификации «_failure_path» программной платформы для разработки и управления веб-приложениями Symfony, позволяющая нарушителю получить несанкционированный доступ к информации или выполнить произвольный код
EPSS
5.8 Medium
CVSS2
6.1 Medium
CVSS3