Описание
symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The Request
class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the Request
class to redirect users to another domain. The Request::create
methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Релиз | Статус | Примечание |
---|---|---|
devel | needs-triage | |
esm-apps/bionic | needed | |
esm-apps/focal | released | 4.3.8+dfsg-1ubuntu1+esm2 |
esm-apps/jammy | released | 5.4.4+dfsg-1ubuntu8+esm1 |
esm-apps/noble | released | 6.4.5+dfsg-3ubuntu3+esm1 |
esm-apps/xenial | needed | |
focal | ignored | end of standard support, was needed |
jammy | needed | |
noble | needed | |
oracular | ignored | end of life, was needs-triage |
Показывать по
EPSS
3.1 Low
CVSS3
Связанные уязвимости
symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
symfony/http-foundation is a module for the Symphony PHP framework whi ...
Symfony vulnerable to open redirect via browser-sanitized URLs
Уязвимость компонента http-foundation программной платформы для разработки и управления веб-приложениями Symfony, позволяющая нарушителю получить доступ к конфиденциальным данным
EPSS
3.1 Low
CVSS3