Vulnerability Description
The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sensiolabs | Symfony | < 2.7.33 |
Related Weaknesses (CWE)
References
- https://github.com/barryvdh/laravel-debugbar/issues/850ExploitThird Party Advisory
- https://github.com/symfony/debug/pull/7/commits/e48bda29143bd1a83001780b4a78e483PatchThird Party Advisory
- https://github.com/symfony/symfony/issues/27987ExploitThird Party Advisory
- https://github.com/symfony/symfony/pull/23684Third Party Advisory
- https://github.com/barryvdh/laravel-debugbar/issues/850ExploitThird Party Advisory
- https://github.com/symfony/debug/pull/7/commits/e48bda29143bd1a83001780b4a78e483PatchThird Party Advisory
- https://github.com/symfony/symfony/issues/27987ExploitThird Party Advisory
- https://github.com/symfony/symfony/pull/23684Third Party Advisory
FAQ
What is CVE-2017-18343?
CVE-2017-18343 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as dem...
How severe is CVE-2017-18343?
CVE-2017-18343 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-18343?
Check the references section above for vendor advisories and patch information. Affected products include: Sensiolabs Symfony.