Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Potential XSS in WebhookController

Moderate
nicolas-grekas published GHSA-72x2-5c85-6wmr Nov 10, 2023

Package

symfony/symfony (Composer)

Affected versions

>=6.3.0, <6.3.8

Patched versions

6.3.8
symfony/webhook (Composer)
>=6.3.0, <6.3.8
6.3.8

Description

Description

The error message in WebhookController returns unescaped user-submitted input.

Resolution

WebhookController now doesn't return any user-submitted input in its response.

The patch for this issue is available here for branch 6.3.

Credits

We would like to thank Maxime Aknin for reporting the issue and to Nicolas Grekas for providing the fix.

Severity

Moderate

CVE ID

CVE-2023-46735

Weaknesses

Weakness CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. Learn more on MITRE.

Credits
Morty Proxy This is a proxified and sanitized view of the page, visit original site.