VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Nov 10, 2023· Updated Sep 3, 2024

Symfony potential Cross-site Scripting in WebhookController

CVE-2023-46735

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in WebhookController returns unescaped user-submitted input. As of version 6.3.8, WebhookController now doesn't return any user-submitted input in its response.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
symfony/webhookPackagist
>= 6.3.0, < 6.3.86.3.8
symfony/symfonyPackagist
>= 6.3.0, < 6.3.86.3.8

Affected products

1

Patches

1
8128c3024303

[Webhook] Remove user-submitted type from HTTP response

https://github.com/symfony/symfonyNicolas GrekasNov 3, 2023via ghsa
commit
1 file changed · +1 1
  • src/Symfony/Component/Webhook/Controller/WebhookController.php+1 1 modified
    @@ -38,7 +38,7 @@ public function __construct(
     public function handle(string $type, Request $request): Response
     {
         if (!isset($this->parsers[$type])) {
-            return new Response(sprintf('No parser found for webhook of type "%s".', $type), 404);
+            return new Response('No webhook parser found for the type given in the URL.', 404, ['Content-Type' => 'text/plain']);
         }
         /** @var RequestParserInterface $parser */
         $parser = $this->parsers[$type]['parser'];

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.