CVE-2017-18343

Exploit

EPSS 0.5%
Published 20.07.2018 00:29:00
Last modified 21.11.2024 03:19:53
Source cve@mitre.org
Teams watchlist Login
Open Login

The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Sensiolabs ≫ Symfony Version < 2.7.33

Sensiolabs ≫ Symfony Version >= 2.8.0 < 2.8.26

Sensiolabs ≫ Symfony Version >= 3.0.0 < 3.2.13

Sensiolabs ≫ Symfony Version >= 3.3.0 < 3.3.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.5%	0.652

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/barryvdh/laravel-debugbar/issues/850

Third Party Advisory

Exploit

https://github.com/symfony/debug/pull/7/commits/e48bda29143bd1a83001780b4a78e483822d985c

Patch

Third Party Advisory

https://github.com/symfony/symfony/issues/27987

Third Party Advisory

Exploit

https://github.com/symfony/symfony/pull/23684

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-18343

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-18343

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-18343

EUVD