CVE-2018-12040

EUVD-2018-4023
Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI.  NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues).
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
Affected Products (NVD)
VendorProductVersion
sensiolabssymfony
3.3.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
symfony
bookworm
5.4.23+dfsg-1+deb12u2
fixed
bullseye
4.4.19+dfsg-2+deb11u6
fixed
sid
6.4.13+dfsg-1
fixed
trixie
6.4.13+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
symfony
artful
ignored
bionic
not-affected
cosmic
ignored
disco
not-affected
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/148125/SensioLabs-Symfony-3.3.6-Cross-Site-Scripting.html
http://www.securityfocus.com/archive/1/542071/100/0/threaded
http://packetstormsecurity.com/files/148125/SensioLabs-Symfony-3.3.6-Cross-Site-Scripting.html
http://www.securityfocus.com/archive/1/542071/100/0/threaded