6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-11408

GHSA ID

GHSA-7hwc-2cq4-6x2w

EPSS Score

0.53441%

CWE

CWE-601

Published

5/14/2022

Updated

2/7/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-11408

CVE-2018-11408: Symfony Open Redirect

The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-11408

GHSA ID

GHSA-7hwc-2cq4-6x2w

EPSS Score

0.53441%

CWE

CWE-601

Published

5/14/2022

Updated

2/7/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/symfony	composer	>= 2.7.0, < 2.7.48	2.7.48
symfony/symfony	composer	>= 2.8.0, < 2.8.41	2.8.41
symfony/symfony	composer	>= 3.3.0, < 3.3.17	3.3.17
symfony/symfony	composer	>= 3.4.0, < 3.4.11	3.4.11
symfony/symfony	composer	>= 4.0.0, < 4.0.11	4.0.11
symfony/security-bundle	composer	>= 2.7.0, < 2.7.48	2.7.48
symfony/security-bundle	composer	>= 2.8.0, < 2.8.41	2.8.41
symfony/security-bundle	composer	>= 3.3.0, < 3.3.17	3.3.17
symfony/security-bundle	composer	>= 3.4.0, < 3.4.11	3.4.11
symfony/security-bundle	composer	>= 4.0.0, < 4.0.11	4.0.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the AddSessionDomainConstraintPass compiler pass's handling of security.http_utils. The original code (pre-patch) checked for both 'session.storage.options' parameter and 'security.http_utils' service existence, returning early if either was missing. When security.http_utils was inlined (not explicitly defined in the container), this check allowed the code to skip adding the domain validation regex to the service. The patch removed the http_utils check, ensuring the regex is always added or an exception is thrown if the service is missing. This indicates the process() method's conditional logic was the root cause of the incomplete validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** s**urity **n*l*rs in t** S**urity *ompon*nt in Sym*ony in *.*.x ***or* *.*.**, *.*.x ***or* *.*.**, *.*.x ***or* *.*.**, *.*.x ***or* *.*.**, *n* *.*.x ***or* *.*.** **v* *n Op*n r**ir**t vuln*r**ility w**n s**urity.*ttp_utils is inlin** *y * *on

Reasoning

T** vuln*r**ility st*ms *rom t** ***S*ssion*om*in*onstr*intP*ss *ompil*r p*ss's **n*lin* o* s**urity.*ttp_utils. T** ori*in*l *o** (pr*-p*t**) ****k** *or *ot* 's*ssion.stor***.options' p*r*m*t*r *n* 's**urity.*ttp_utils' s*rvi** *xist*n**, r*turnin*

6.1

Basic Information

Concerned about an active attack path?

CVE-2018-11408: Symfony Open Redirect

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI