CVE-2018-11408
MEDIUM6.1EPSS 0.31%Symfony Open Redirect
Published: 5/14/2022Modified: 5/27/2026
Description
The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.
Affected packages (3)
- Debian/symfonyfrom 0, < 3.4.12+dfsg-1
- Packagist/symfony/security-bundle>= 2.7.0, < 2.7.48
- Packagist/symfony/symfony>= 2.7.0, < 2.7.48
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-11408
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-11408
- PATCHhttps://github.com/symfony/symfony
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2018-11408.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11408.yaml
- WEBhttps://github.com/symfony/symfony/commit/b20e83562e32c56f8d9b8296ab07b0e4c0a54db8
- WEBhttps://lists.debian.org/debian-lts-announce/2019/03/msg00009.html
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH
- WEBhttps://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers
- WEBhttps://symfony.com/cve-2018-11408