CVE-2018-19790
EUVD-2022-315818.12.2018, 22:29
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| sensiolabs | symfony | 2.7.0 ≤ 𝑥 < 2.7.50 |
| sensiolabs | symfony | 2.8.0 ≤ 𝑥 < 2.8.49 |
| sensiolabs | symfony | 3.0.0 ≤ 𝑥 < 3.4.20 |
| sensiolabs | symfony | 4.0.0 ≤ 𝑥 < 4.0.15 |
| sensiolabs | symfony | 4.1.0 ≤ 𝑥 < 4.1.9 |
| sensiolabs | symfony | 4.2.0 ≤ 𝑥 < 4.2.1 |
| debian | debian_linux | 8.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
References