CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
77.5%
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the _failure_path
input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.
www.securityfocus.com/bid/106249
github.com/advisories/GHSA-89r2-5g34-2g47
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2018-19790.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2018-19790.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-19790.yaml
github.com/symfony/symfony/commit/99a0cec0a6be39ce5ef38386e57339603b33ee5b
lists.debian.org/debian-lts-announce/2019/03/msg00009.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TD3E7FZIXLVFG3SMFJPDEKPZ26TJOW7
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZMRJ7VTHCY5AZK24G4QGX36RLUDTDKE
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA4WVFN5FYPIXAPLWZI6N425JHHDSWAZ
lists.fedoraproject.org/archives/list/[email protected]/message/4TD3E7FZIXLVFG3SMFJPDEKPZ26TJOW7
lists.fedoraproject.org/archives/list/[email protected]/message/JZMRJ7VTHCY5AZK24G4QGX36RLUDTDKE
lists.fedoraproject.org/archives/list/[email protected]/message/OA4WVFN5FYPIXAPLWZI6N425JHHDSWAZ
nvd.nist.gov/vuln/detail/CVE-2018-19790
seclists.org/bugtraq/2019/May/21
symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http
symfony.com/cve-2018-19790
web.archive.org/web/20200227095826/www.securityfocus.com/bid/106249
www.debian.org/security/2019/dsa-4441
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
77.5%