GHSA-p9fg-j6ww-953m: FOSRestBundle issue with broken validation of JSONP callbacks
Starting with FOSRestBundle 1.2 we switched to using willdurand/jsonp-callback-validator for validation of JSONP callbacks. However the change was implemented incorrectly validating the callback query param name, rather than its value. Anyone using the JSONP handler (which is off by default) together with FOSRestBundle 1.2.0 or 1.2.1 should update to FOSRestBundle 1.2.2.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/rest-bundle/2014-01-22-1.yaml
- github.com/FriendsOfSymfony/FOSRestBundle
- github.com/FriendsOfSymfony/FOSRestBundle/commit/3dd7d40068360c23366fb4884c5d194c769ec2c1
- github.com/advisories/GHSA-p9fg-j6ww-953m
- symfony.com/blog/fosrestbundle-security-issue-with-jsonp-handler
Detect and mitigate GHSA-p9fg-j6ww-953m with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →