symfony/serializer is vulnerable to CSV Injection. The vulnerability exists in a private variable used in flatten
function of CsvEncoder.php
as it doesn’t properly encode the formulas which allows an attacker to inject arbitrary CSV formulas and code.
github.com/symfony/serializer/commit/1b2ae02cb1b923987947e013688c51954a80b751
github.com/symfony/serializer/commit/d834b2834253fa5464b630714429797f66f1a0dc
github.com/symfony/symfony/commit/3379d3ee4211840f31e3fabe1c8a9875f9cc6a47
github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8
github.com/symfony/symfony/pull/44243
github.com/symfony/symfony/releases/tag/v5.3.12
github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x
lists.fedoraproject.org/archives/list/[email protected]/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/
lists.fedoraproject.org/archives/list/[email protected]/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/