Vulnerability DatabaseCVE-2018-11408
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2018-11408
Published:June 13, 2018
Updated:May 17, 2026
The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.
Affected Packages
symfony/security-bundle (PHP):
Affected version(s) >=v2.7.0 <v2.7.48
Fix Suggestion:
Update to version v2.7.48
symfony/security-bundle (PHP):
Affected version(s) >=v3.3.0 <v3.3.17
Fix Suggestion:
Update to version v3.3.17
symfony/symfony (PHP):
Affected version(s) >=v3.3.0 <v3.3.17
Fix Suggestion:
Update to version v3.3.17
symfony/symfony (PHP):
Affected version(s) >=v2.8.0 <v2.8.41
Fix Suggestion:
Update to version v2.8.41
symfony/symfony (PHP):
Affected version(s) >=v4.0.0 <v4.0.11
Fix Suggestion:
Update to version v4.0.11
symfony/security-bundle (PHP):
Affected version(s) >=v2.8.0 <v2.8.41
Fix Suggestion:
Update to version v2.8.41
symfony/symfony (PHP):
Affected version(s) >=v2.7.0 <v2.7.48
Fix Suggestion:
Update to version v2.7.48
symfony/security-bundle (PHP):
Affected version(s) >=v3.4.0 <v3.4.11
Fix Suggestion:
Update to version v3.4.11
symfony/symfony (PHP):
Affected version(s) >=v3.4.0 <v3.4.11
Fix Suggestion:
Update to version v3.4.11
symfony/security-bundle (PHP):
Affected version(s) >=v4.0.0 <v4.0.11
Fix Suggestion:
Update to version v4.0.11
Related Resources (14)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW
https://nvd.nist.gov/vuln/detail/CVE-2018-11408
https://github.com/symfony/symfony/commit/b20e83562e32c56f8d9b8296ab07b0e4c0a54db8
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH
https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2018-11408.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11408.yaml
https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/
https://github.com/symfony/symfony
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV
https://symfony.com/cve-2018-11408
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
URL Redirection to Untrusted Site ('Open Redirect')
CWE-601
EPSS
Base Score:
0.31