CVE-2018-11408
Symfony Open Redirect
6.1
MEDIUM
CVSS 3.1
EPSS 0.31%
Description
The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.
How to fix CVE-2018-11408
To remediate CVE-2018-11408, upgrade the affected package to a fixed version below.
- —upgrade to 3.4.12+dfsg-1 or later
- —upgrade to 2.7.48 or later
- —upgrade to 2.7.48 or later
Is CVE-2018-11408 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 3.4.12+dfsg-1
- >= 2.7.0, < 2.7.48
- >= 2.7.0, < 2.7.48
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |