Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks.
symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released
www.securityfocus.com/bid/61715
bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4752
exchange.xforce.ibmcloud.com/vulnerabilities/86365
exchange.xforce.ibmcloud.com/vulnerabilities/86366
exchange.xforce.ibmcloud.com/vulnerabilities/86367
exchange.xforce.ibmcloud.com/vulnerabilities/86368
exchange.xforce.ibmcloud.com/vulnerabilities/86369
exchange.xforce.ibmcloud.com/vulnerabilities/86370
exchange.xforce.ibmcloud.com/vulnerabilities/86371
exchange.xforce.ibmcloud.com/vulnerabilities/86372
exchange.xforce.ibmcloud.com/vulnerabilities/86373
exchange.xforce.ibmcloud.com/vulnerabilities/86374
lists.fedoraproject.org/pipermail/package-announce/2013-August/114450.html
lists.fedoraproject.org/pipermail/package-announce/2013-August/114461.html