Skip to main content

URL Redirection to Untrusted Site ('Open Redirect')

CVE-2018-11408

Severity Medium
Score 6.1/10

Summary

The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.x before 3.3.17, 3.4.x before 3.4.11, 4.0.x before 4.0.11 and 4.1.x through 4.1.0-BETA2 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.

  • LOW
  • NETWORK
  • LOW
  • CHANGED
  • REQUIRED
  • NONE
  • LOW
  • NONE

CWE-601 - Open Redirect

An open redirect attack employs a URL parameter, HTML refresh tags, or a DOM based location change to exploit the trust of a vulnerable domain to direct the users to a malicious website. The attack could lead to higher severity vulnerabilities such as unauthorized access control, account takeover, XSS, and more.

Advisory Timeline

  • Published