CVE-2023-46734

GHSA-q847-2q57-wmr3, CVE-2023-46734

packagist/symfony/symfony

Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use is_safe=html but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.

All versions starting from 2.0.0 before 4.4.51, all versions starting from 5.0.0 before 5.4.31, all versions starting from 6.0.0 before 6.3.8

Upgrade to versions 4.4.51, 5.4.31, 6.3.8 or above.

2023-11-16