Reflected Cross-site Scripting Vulnerability in Symfony Web Profiler by SensioLabs
CVE-2018-12040

6.1MEDIUM

Key Information:

Vendor: Sensiolabs
Status: Symfony
Vendor: CVE Published:; 13 June 2018

Summary

A reflected cross-site scripting (XSS) vulnerability exists in the web profiler of Symfony 3.3.6 by SensioLabs. This flaw allows attackers to inject arbitrary web scripts or HTML content via the 'file' parameter in a specially crafted URI (_profiler/open?file=). Although the vendor recommends not deploying the web profiler in production environments and does not treat this issue as a security vulnerability, it poses risks if the profiler is inadvertently exposed, possibly leading to unauthorized script execution in user browsers.

References

http://packetstormsecurity.com/files/148125/SensioLabs-Sy...

x_refsource_MISC

http://www.securityfocus.com/archive/1/542071/100/0/threaded

mailing-listx_refsource_BUGTRAQ

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 13, 2018
Vulnerability Reserved
Jun 7, 2018