← Back

CVE-2023-46734

nvd nist
Published: Nov 10, 2023Modified: Nov 21, 2024

JSON object

Loading...
6.1
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Exploitability: 2.8 / Impact: 2.7
Source: NVD

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.

Affected (6)

Products: Sensiolabs: Symfony, Twig
Sensiolabs
2 products
Symfony
Twig
Configuration A
6 vulnerable
Vulnerable SoftwareAffected Versions
Sensiolabs
Symfony
From 2.0.0 to 4.4.51
Symfony
From 5.0.0 to 5.4.31
Symfony
From 6.0.0 to 6.3.8
Sensiolabs
Twig
From 2.0.0 to 4.4.51
Twig
From 5.0.0 to 5.4.31
Twig
From 6.0.0 to 6.3.8

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (8)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Vendor Advisory
Source: security-advisories@github.com
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.