6.1
CVE-2018-19790
- EPSS 0.47%
- Published 18.12.2018 22:29:05
- Last modified 21.11.2024 03:58:33
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.
Data is provided by the National Vulnerability Database (NVD)
Sensiolabs ≫ Symfony Version >= 2.7.0 < 2.7.50
Sensiolabs ≫ Symfony Version >= 2.8.0 < 2.8.49
Sensiolabs ≫ Symfony Version >= 3.0.0 < 3.4.20
Sensiolabs ≫ Symfony Version >= 4.0.0 < 4.0.15
Sensiolabs ≫ Symfony Version >= 4.1.0 < 4.1.9
Sensiolabs ≫ Symfony Version >= 4.2.0 < 4.2.1
Fedoraproject ≫ Fedora Version28
Debian ≫ Debian Linux Version8.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.47% | 0.636 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 5.8 | 8.6 | 4.9 |
AV:N/AC:M/Au:N/C:P/I:P/A:N
|
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.