Vulnerability CVE-2023-46734: Information

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.

Severity: MEDIUM (6.1)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
URL: https://nvd.nist.gov/vuln/detail/CVE-2023-46734
Published: Nov. 10, 2023
Modified: Nov. 21, 2024
Error type identifier: CWE-79

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
itopsisyphus3.2.0.2-alt13.2.2-alt2ALT-PU-2025-1468-2369847Fixed
itopsisyphus_e2k3.1.1.1-alt13.1.1.1-alt1ALT-PU-2024-1071-1-Fixed
itopsisyphus_riscv643.2.0.2-alt13.2.2-alt2ALT-PU-2025-1528-1-Fixed
itopsisyphus_loongarch643.1.1.1-alt13.2.2-alt2ALT-PU-2024-1042-1-Fixed
itopp103.1.1.1-alt13.1.1.1-alt1ALT-PU-2024-4537-3343613Fixed
itopp10_e2k3.1.1.1-alt13.1.1.1-alt1ALT-PU-2024-4805-1-Fixed
itopc10f23.1.1.1-alt13.2.2-alt1ALT-PU-2024-4549-3343622Fixed
itopc9f23.1.1.1-alt13.2.0.2-alt0.c9f2.1ALT-PU-2024-4547-3343621Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54
  • Patch
https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c
  • Patch
https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3
  • Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/11/msg00019.html
    BDU:2023-08237
      GHSA-q847-2q57-wmr3
          1. cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
            Start including
            2.0.0
            End excluding
            4.4.51
            cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
            Start including
            5.0.0
            End excluding
            5.4.31
            cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
            Start including
            6.0.0
            End excluding
            6.3.8
            cpe:2.3:a:sensiolabs:twig:*:*:*:*:*:*:*:*
            Start including
            2.0.0
            End excluding
            4.4.51
            cpe:2.3:a:sensiolabs:twig:*:*:*:*:*:*:*:*
            Start including
            5.0.0
            End excluding
            5.4.31
            cpe:2.3:a:sensiolabs:twig:*:*:*:*:*:*:*:*
            Start including
            6.0.0
            End excluding
            6.3.8
        VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
        Version: v26.2.2
        Back to top