Cross-Site Scripting Vulnerability in Symfony Debug Handler
CVE-2017-18343

6.1MEDIUM

Key Information:

Vendor

Sensiolabs

Status
Symfony
Vendor
CVE Published:
20 July 2018

What is CVE-2017-18343?

The Symfony Debug Handler has a cross-site scripting (XSS) vulnerability that can be exploited through an improperly sanitized array key during the exception pretty printing process in the ExceptionHandler.php file. This vulnerability affects specific versions of the Symfony framework, potentially exposing sensitive data when the debug tools are improperly used in production environments. It's important to note that while the vendor maintains that these debugging tools are not meant for production use, developers who utilize them may still face risks from this type of XSS vulnerability.

References

https://github.com/symfony/symfony/pull/23684
x_refsource_MISC
https://github.com/symfony/debug/pull/7/commits/e48bda291...
x_refsource_MISC
https://github.com/symfony/symfony/issues/27987
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.