CVE-2018-19790 — Symfony Open Redirect

Description

An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.

How to fix CVE-2018-19790

To remediate CVE-2018-19790, upgrade the affected package to a fixed version below.

—upgrade to 3.4.20+dfsg-1 or later
—upgrade to 2.7.50 or later
—upgrade to 2.7.50 or later
—upgrade to 2.7.50 or later

Is CVE-2018-19790 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 3.4.20+dfsg-1
>= 2.7.38, < 2.7.50
>= 2.7.38, < 2.7.50
>= 2.7.38, < 2.7.50

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (20)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-19790
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-19790
PATCHgithub.com/symfony/symfony
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2018-19790.yaml