CVE-2023-46734
- Source
- https://cve.org/CVERecord?id=CVE-2023-46734
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46734.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-46734
- Aliases
- Downstream
- Published
- 2023-11-10T17:49:55.188Z
- Modified
- 2026-05-28T04:09:07.639374527Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters
- Details
-
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use
is_safe=htmlbut don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/46xxx/CVE-2023-46734.json", "cwe_ids": [ "CWE-79" ], "cna_assigner": "GitHub_M" }- References
-
- https://lists.debian.org/debian-lts-announce/2023/11/msg00019.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/46xxx/CVE-2023-46734.json
- https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3
- https://nvd.nist.gov/vuln/detail/CVE-2023-46734
- https://github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54
- https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c
Affected packages
Git / github.com/symfony/security-http
Git / github.com/symfony/symfony
Affected ranges
- Type
- GIT
- Repo
- https://github.com/symfony/symfony
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedFixedFixed
- Database specific
{ "cpe": [ "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "cpe:2.3:a:sensiolabs:twig:*:*:*:*:*:*:*:*" ], "extracted_events": [ { "introduced": "2.0.0" }, { "fixed": "4.4.51" }, { "introduced": "5.0.0" }, { "fixed": "5.4.31" }, { "introduced": "6.0.0" }, { "fixed": "6.3.8" } ], "source": [ "CPE_RANGE", "REFERENCES" ] }
Affected versions
v2.*
v2.0.0
v2.1.0
v2.1.0-BETA1
v2.1.0-BETA2
v2.1.0-BETA3
v2.1.0-BETA4
v2.1.0-RC1
v2.1.0-RC2
v2.2.0-BETA1
v2.2.0-BETA2
v2.3.0-BETA1
v2.3.0-BETA2
v2.4.0-BETA1
v2.4.0-BETA2
v2.5.0-BETA1
v2.5.0-BETA2
v2.6.0-BETA1
v3.*
v3.0.0
v3.0.0-BETA1
v3.2.0-BETA1
v3.2.0-RC1
v3.3.0-BETA1
v4.*
v4.0.0-BETA1
v4.0.0-BETA2
v4.0.0-BETA3
v4.0.0-BETA4
v4.2.0-BETA1
v4.2.0-BETA2
v4.3.0-BETA1
v4.4.0
v4.4.0-BETA1
v4.4.0-BETA2
v4.4.0-RC1
v4.4.1
v4.4.10
v4.4.11
v4.4.12
v4.4.13
v4.4.14
v4.4.15
v4.4.16
v4.4.17
v4.4.18
v4.4.19
v4.4.2
v4.4.20
v4.4.21
v4.4.22
v4.4.23
v4.4.24
v4.4.25
v4.4.26
v4.4.27
v4.4.28
v4.4.29
v4.4.3
v4.4.30
v4.4.31
v4.4.32
v4.4.33
v4.4.34
v4.4.35
v4.4.36
v4.4.37
v4.4.38
v4.4.39
v4.4.4
v4.4.40
v4.4.41
v4.4.42
v4.4.43
v4.4.44
v4.4.45
v4.4.46
v4.4.47
v4.4.48
v4.4.49
v4.4.5
v4.4.50
v4.4.6
v4.4.7
v4.4.8
v4.4.9
v5.*
v5.0.0-BETA1
v5.0.0-BETA2
v5.0.0-RC1
v5.1.0-BETA1
v5.2.0-BETA1
v5.2.0-BETA2
v5.2.0-BETA3
v5.3.0-BETA1
v5.3.0-BETA2
v5.3.0-BETA3
v5.3.0-BETA4
v5.4.0
v5.4.0-BETA1
v5.4.0-BETA2
v5.4.0-BETA3
v5.4.0-RC1
v5.4.1
v5.4.10
v5.4.11
v5.4.12
v5.4.13
v5.4.14
v5.4.15
v5.4.16
v5.4.17
v5.4.18
v5.4.19
v5.4.2
v5.4.20
v5.4.21
v5.4.22
v5.4.23
v5.4.24
v5.4.25
v5.4.26
v5.4.27
v5.4.28
v5.4.29
v5.4.3
v5.4.30
v5.4.4
v5.4.5
v5.4.6
v5.4.7
v5.4.8
v5.4.9
v6.*
v6.0.0-BETA1
v6.0.0-BETA2
v6.0.0-BETA3
v6.0.0-RC1
v6.1.0-BETA1
v6.1.0-BETA2
v6.1.0-RC1
v6.2.0-BETA1
v6.2.0-BETA2
v6.2.0-BETA3
v6.3.0
v6.3.0-BETA1
v6.3.0-BETA2
v6.3.0-BETA3
v6.3.0-RC1
v6.3.0-RC2
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7