Choose language:
Pratite nas:
back

Cross-site Scripting (XSS) vulnerability in ErrorHandler for Symfony

30.03.2020

No pandemic, earthquake or cold weather couldn't stop Infigo IS' pen testers from finding a bug in popular Symfony

Symfony, a popular set of decoupled and reusable PHP components used by many PHP applications, was leaking more information than it should have. Our resident PHP expert, Luka Sikic, made Symfony's ErrorHandler to render out injected characters without proper HTML encoding, which lead to exploiting Cross-site Scripting (XSS) vulnerability.

As Symfony has more than 48 million downloads per month so the user base is huge – affected versions were those from 4.4.0 to 4.4.3 and from 5.0.0 to 5.0.4. Luckily, the bug is fixed and all users should download the newer versions (current are 4.4.7 and 5.0.7). More about the problem you can read on official Symfony blog.