Symfony Open Redirect
Moderate severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Apr 25, 2024
Package
Affected versions
>= 2.7.38, < 2.7.50
>= 2.8.0, < 2.8.49
>= 3.0.0, < 3.4.19
>= 4.0.0, < 4.0.15
>= 4.1.0, < 4.1.9
>= 4.2.0, < 4.2.1
Patched versions
2.7.50
2.8.49
3.4.19
4.0.15
4.1.9
4.2.1
>= 2.7.38, < 2.7.50
>= 2.8.0, < 2.8.49
>= 3.0.0, < 3.4.20
>= 4.0.0, < 4.0.15
>= 4.1.0, < 4.1.9
>= 4.2.0, < 4.2.1
2.7.50
2.8.49
3.4.20
4.0.15
4.1.9
4.2.1
>= 2.7.38, < 2.7.50
>= 2.8.0, < 2.8.49
>= 3.0.0, < 3.4.20
>= 4.0.0, < 4.0.15
>= 4.1.0, < 4.1.9
2.7.50
2.8.49
3.4.20
4.0.15
4.1.9
Description
Published by the National Vulnerability Database
Dec 18, 2018
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Apr 25, 2024
Last updated
Apr 25, 2024
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the
_failure_path
input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.References