CVE-2017-18343

The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar

Published: Jul 20, 2018
Updated: Nov 8, 2023
CVE: CVE-2017-18343
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
sensiolabs / symfony	-	2.7.33
sensiolabs / symfony	2.8.0	2.8.26
sensiolabs / symfony	3.0.0	3.2.13
sensiolabs / symfony	3.3.0	3.3.6

https://github.com/barryvdh/laravel-debugbar/issues/850
https://github.com/symfony/debug/pull/7/commits/e48bda29143bd1a83001780b4a78e483822d985c
https://github.com/symfony/symfony/issues/27987
https://github.com/symfony/symfony/pull/23684

Vulnerability Database

289,697

CVE-2017-18343