VYPR
Moderate severityNVD Advisory· Published Nov 10, 2023· Updated Feb 13, 2025

Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters

CVE-2023-46734

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use is_safe=html but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
symfony/twig-bridgePackagist
>= 2.0.0, < 4.4.514.4.51
symfony/twig-bridgePackagist
>= 5.0.0, < 5.4.315.4.31
symfony/twig-bridgePackagist
>= 6.0.0, < 6.3.86.3.8
symfony/symfonyPackagist
>= 2.0.0, < 4.4.514.4.51
symfony/symfonyPackagist
>= 5.0.0, < 5.4.315.4.31
symfony/symfonyPackagist
>= 6.0.0, < 6.3.86.3.8

Affected products

4

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.