{"id":"CVE-2023-46734","summary":"Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters","details":"Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.","aliases":["BIT-symfony-2023-46734","GHSA-q847-2q57-wmr3"],"modified":"2026-05-28T04:09:07.639374527Z","published":"2023-11-10T17:49:55.188Z","database_specific":{"cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/46xxx/CVE-2023-46734.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/11/msg00019.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/46xxx/CVE-2023-46734.json"},{"type":"ADVISORY","url":"https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46734"},{"type":"FIX","url":"https://github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54"},{"type":"FIX","url":"https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/security-http","events":[{"introduced":"18f96c1f4aff294d6872908741731ff0993dbd6f"},{"fixed":"6d3cd5a4deee9697738db8d24258890ca4140ae9"},{"introduced":"6530589fc40cdceda230fb6a69173ce52fa8b5ca"},{"fixed":"19f7b5f5d20879a976d6d376e359bc975dfc6002"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"5.0.0"},{"fixed":"5.4.31"},{"introduced":"6.0.0"},{"fixed":"6.3.8"}],"cpe":"cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*"}}],"versions":["v6.3.6","v6.3.5","v6.3.4","v6.3.2","v6.3.1","v6.3.0","v6.3.0-RC1","v6.3.0-BETA1","v6.2.0","v6.2.0-RC1","v6.2.0-BETA3","v6.2.0-BETA1","v6.1.0-RC1","v6.1.0","v6.1.0-BETA2","v6.1.0-BETA1","v6.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46734.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"c3ebdbf9cceddb82cd2089aaef8c7b992e536363"},{"fixed":"9926d13361941c4a8abef7e8d7cb8a1997409b9f"},{"introduced":"ea815ba986fe3be54acb5a47b0dc8760cf54e31d"},{"fixed":"adf54cdee267ad025961c41ad1c2a0681600ede3"},{"introduced":"aa4e97099b5a67bdc9f2387fe8d099f5c712f81c"},{"fixed":"60e5f25f78f025bb81ec605f7a6fd664667f9e0e"},{"fixed":"5d095d5feb1322b16450284a04d6bb48d1198f54"},{"fixed":"9da9a145ce57e4585031ad4bee37c497353eec7c"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"extracted_events":[{"introduced":"2.0.0"},{"fixed":"4.4.51"},{"introduced":"5.0.0"},{"fixed":"5.4.31"},{"introduced":"6.0.0"},{"fixed":"6.3.8"}],"cpe":["cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:twig:*:*:*:*:*:*:*:*"]}}],"versions":["v6.3.4","v6.3.7","v5.4.30","v6.3.6","v6.3.5","v5.4.29","v5.4.28","v6.3.3","v5.4.27","v6.3.2","v5.4.26","v6.3.1","v5.4.25","v6.3.0","v6.3.0-RC2","v5.4.24","v6.3.0-RC1","v6.3.0-BETA3","v6.3.0-BETA2","v4.4.50","v6.3.0-BETA1","v5.4.23","v5.4.22","v5.4.21","v5.4.20","v5.4.19","v4.4.49","v5.4.18","v5.4.17","v5.4.16","v6.2.0-BETA3","v6.2.0-BETA2","v5.4.15","v4.4.48","v6.2.0-BETA1","v5.4.14","v4.4.47","v5.4.13","v4.4.46","v5.4.12","v4.4.45","v5.4.11","v4.4.44","v5.4.10","v4.4.43","v5.4.9","v4.4.42","v6.1.0-RC1","v6.1.0-BETA2","v5.4.8","v4.4.41","v6.1.0-BETA1","v5.4.7","v4.4.40","v5.4.6","v4.4.39","v5.4.5","v4.4.38","v5.4.3","v5.4.4","v4.4.37","v5.4.2","v4.4.36","v4.4.35","v5.4.1","v5.4.0","v6.0.0-RC1","v5.4.0-RC1","v4.4.34","v6.0.0-BETA3","v5.4.0-BETA3","v6.0.0-BETA2","v5.4.0-BETA2","v6.0.0-BETA1","v5.4.0-BETA1","v4.4.33","v4.4.32","v4.4.31","v4.4.30","v4.4.25","v4.4.29","v4.4.28","v4.4.27","v4.4.26","v4.4.24","v5.3.0-BETA4","v4.4.23","v5.3.0-BETA3","v5.3.0-BETA2","v4.4.22","v5.3.0-BETA1","v4.4.21","v4.4.20","v4.4.19","v4.4.18","v4.4.17","v5.2.0-BETA3","v4.4.16","v5.2.0-BETA2","v5.2.0-BETA1","v4.4.15","v4.4.14","v4.4.13","v4.4.12","v4.4.11","v4.4.10","v4.4.9","v5.1.0-BETA1","v4.4.8","v4.4.7","v4.4.6","v4.4.5","v4.4.4","v4.4.3","v4.4.2","v4.4.1","v4.4.0","v5.0.0-RC1","v4.4.0-RC1","v5.0.0-BETA2","v4.4.0-BETA2","v5.0.0-BETA1","v4.4.0-BETA1","v4.3.0-BETA1","v4.2.0-BETA2","v4.2.0-BETA1","v4.0.0-BETA4","v4.0.0-BETA3","v4.0.0-BETA2","v4.0.0-BETA1","v3.3.0-BETA1","v3.2.0-RC1","v3.2.0-BETA1","v3.0.0","v3.0.0-BETA1","v2.6.0-BETA1","v2.5.0-BETA1","v2.5.0-BETA2","v2.4.0-BETA2","v2.4.0-BETA1","v2.3.0-BETA2","v2.3.0-BETA1","v2.2.0-BETA2","v2.2.0-BETA1","v2.1.0","v2.1.0-RC2","v2.1.0-RC1","v2.1.0-BETA4","v2.1.0-BETA3","v2.1.0-BETA2","v2.1.0-BETA1","v2.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46734.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}