An issue exists in HttpKernel in Symfony 2.7.0 up to and including 2.7.48, 2.8.0 up to and including 2.8.43, 3.3.0 up to and including 3.3.17, 3.4.0 up to and including 3.4.13, 4.0.0 up to and including 4.0.13, and 4.1.0 up to and including 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
sensiolabs symfony |