← Back

CVE-2017-16652

nvd nist
Published: Jun 13, 2018Modified: Nov 21, 2024

JSON object

Loading...
6.1
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Exploitability: 2.8 / Impact: 2.7
Source: NVD

Description

An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.

Affected (5)

Sensiolabs
1 product
Symfony
Debian
1 product
Debian Linux
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Sensiolabs
Symfony
After 2.7.0 to 2.7.38
Symfony
After 2.8.0 to 2.8.31
Symfony
After 3.2.0 to 3.2.14
Symfony
From 3.3.0 to 3.3.13
Configuration B
1 vulnerable
Vulnerable SoftwareAffected Versions
Debian Linux
Version 8.0

Related CWEs

CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References (4)

Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.