CVE-2023-46734

Cross-site scripting in packagist/symfony/security-http

Identifiers

GHSA-q847-2q57-wmr3, CVE-2023-46734

Package Slug

packagist/symfony/security-http

Vulnerability

Cross-site scripting

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use is_safe=html but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.

Affected Versions

All versions starting from 2.0.0 before 4.4.51, all versions starting from 5.0.0 before 5.4.31, all versions starting from 6.0.0 before 6.3.8

Solution

Upgrade to versions 5.4.31, 6.3.8 or above.

Last Modified

2023-11-17

source