CVE-2018-11408

The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.

Published: Jun 13, 2018
Updated: Apr 13, 2023
CVE: CVE-2018-11408
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N

CWEs:

CWE-601

Affected Software
References

Software	From	Fixed in
sensiolabs / symfony	2.7.0	2.7.48
sensiolabs / symfony	2.8.0	2.8.41
sensiolabs / symfony	3.3.0	3.3.17
sensiolabs / symfony	3.4.0	3.4.11
sensiolabs / symfony	4.0.0	4.0.11
debian / debian_linux	8.0	8.0.x

https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/
https://lists.fedoraproject.org/archives/list/[email protected]/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/
https://lists.fedoraproject.org/archives/list/[email protected]/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/
https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers

Vulnerability Database

289,784

CVE-2018-11408