CVE-2018-11408
MEDIUMSymfony 2.7.0-2.7.47 - Open Redirect via Inlined security.http_utils
Title source: llmDescription
The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/
Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html
Scores
CVSS v3
6.1
EPSS
0.0114
EPSS Percentile
62.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-601
Status
published
Products (4)
debian/debian_linux
8.0
sensiolabs/symfony
2.7.0 - 2.7.48
symfony/security-bundle
2.7.0 - 2.7.48Packagist
symfony/symfony
2.7.0 - 2.7.48Packagist
Published
Jun 13, 2018
Tracked Since
Feb 18, 2026