An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the _failure_path
input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.
www.securityfocus.com/bid/106249
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2018-19790.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2018-19790.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-19790.yaml
github.com/symfony/symfony
github.com/symfony/symfony/commit/99a0cec0a6be39ce5ef38386e57339603b33ee5b
lists.debian.org/debian-lts-announce/2019/03/msg00009.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TD3E7FZIXLVFG3SMFJPDEKPZ26TJOW7
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZMRJ7VTHCY5AZK24G4QGX36RLUDTDKE
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA4WVFN5FYPIXAPLWZI6N425JHHDSWAZ
lists.fedoraproject.org/archives/list/[email protected]/message/4TD3E7FZIXLVFG3SMFJPDEKPZ26TJOW7
lists.fedoraproject.org/archives/list/[email protected]/message/JZMRJ7VTHCY5AZK24G4QGX36RLUDTDKE
lists.fedoraproject.org/archives/list/[email protected]/message/OA4WVFN5FYPIXAPLWZI6N425JHHDSWAZ
nvd.nist.gov/vuln/detail/CVE-2018-19790
seclists.org/bugtraq/2019/May/21
symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http
symfony.com/cve-2018-19790
web.archive.org/web/20200227095826/www.securityfocus.com/bid/106249
www.debian.org/security/2019/dsa-4441