QwikSec

Security Database

CVE

CWE

Training

CVE-2023-46734

Published: Nov 10, 2023

Modified: Feb 13, 2025

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.

Vendor	Product	Versions
symfony	symfony	affected `>= 2.0.0, < 4.4.51` affected `>= 5.0.0, < 5.4.31` affected `>= 6.0.0, < 6.3.8`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3

x_refsource_CONFIRM

https://github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54

x_refsource_MISC

https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c

x_refsource_MISC

https://lists.debian.org/debian-lts-announce/2023/11/msg00019.html

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.