First published: Fri Nov 10 2023(Updated: )
### Description The error message in WebhookController returns unescaped user-submitted input. ### Resolution WebhookController now doesn't return any user-submitted input in its response. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/8128c302430394f639e818a7103b3f6815d8d962) for branch 6.3. ### Credits We would like to thank Maxime Aknin for reporting the issue and to Nicolas Grekas for providing the fix.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/symfony/symfony | >=6.3.0<6.3.8 | 6.3.8 |
composer/symfony/webhook | >=6.3.0<6.3.8 | 6.3.8 |
SensioLabs Symfony | >=6.0.0<6.3.8 | |
>=6.0.0<6.3.8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2023-46735.
The severity of CVE-2023-46735 is medium with a severity value of 6.1.
The software affected by CVE-2023-46735 is Symfony and Symfony Webhook.
To resolve CVE-2023-46735, update to Symfony version 6.3.8 or newer.
You can find more information about CVE-2023-46735 in the references provided: [GitHub Security Advisory](https://github.com/symfony/symfony/security/advisories/GHSA-72x2-5c85-6wmr), [GitHub Commit](https://github.com/symfony/symfony/commit/8128c302430394f639e818a7103b3f6815d8d962), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-46735).