An open redirect exists in Symfony 2.7.x prior to 2.7.50, 2.8.x prior to 2.8.49, 3.x prior to 3.4.20, 4.0.x prior to 4.0.15, 4.1.x prior to 4.1.9 and 4.2.x prior to 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
sensiolabs symfony |
||
fedoraproject fedora 28 |
||
debian debian linux 8.0 |