CVE-2023-46734

MEDIUM EPSS 47.8%
Published Nov 10, 20232y ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Nov 10, 2023 2y ago
Last Modified Jun 17, 2026 2w ago

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
47.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 6

VendorProductVersionRange
sensiolabssymfony*≥2.0.0  –  <4.4.51
sensiolabssymfony*≥5.0.0  –  <5.4.31
sensiolabssymfony*≥6.0.0  –  <6.3.8
sensiolabstwig*≥2.0.0  –  <4.4.51
sensiolabstwig*≥5.0.0  –  <5.4.31
sensiolabstwig*≥6.0.0  –  <6.3.8

References 4

  • github.com https://github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54
    Patch
  • github.com https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c
    Patch
  • github.com https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3
    Vendor Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2023/11/msg00019.html

Remediation

  • github.com https://github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54
    Patch
  • github.com https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c
    Patch