CVE-2013-4752 : Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X

Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks.

Published 2020-01-02 17:15:11

Updated 2020-01-10 19:25:41

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2013-4752

Fedoraproject » Fedora » Version: 18
cpe:2.3:o:fedoraproject:fedora:18:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 19
cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*
Matching versions
Sensiolabs » Symfony
Versions from including (>=) 2.0.0 and before (<) 2.0.24
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Matching versions
Sensiolabs » Symfony
Versions from including (>=) 2.1.0 and before (<) 2.1.12
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Matching versions
Sensiolabs » Symfony
Versions from including (>=) 2.3.0 and before (<) 2.3.3
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Matching versions
Sensiolabs » Symfony
Versions from including (>=) 2.2.0 and before (<) 2.2.5
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-4752

EPSS FAQ

0.93%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 74 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-4752

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2013-4752

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-4752

https://exchange.xforce.ibmcloud.com/vulnerabilities/86366

eZ Publish content/versionview module cross-site scripting undefined Vulnerability Report
Third Party Advisory;VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86369

eZ Publish user/login page cross-site scripting undefined Vulnerability Report
Third Party Advisory;VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86365

Symfony Request.php spoofing CVE-2013-4752 Vulnerability Report
Third Party Advisory;VDB Entry
http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114450.html

[SECURITY] Fedora 19 Update: php-symfony2-HttpFoundation-2.2.5-1.fc19
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4752

995583 – (CVE-2013-4752) CVE-2013-4752 php-symfony2-HttpFoundation: Request::getHost() poisioning
Issue Tracking;Patch;Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/86368

eZ Publish user/login page URL redirection undefined Vulnerability Report
Third Party Advisory;VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86371

eZ Publish content treemenu module cross-site scripting undefined Vulnerability Report
Third Party Advisory;VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86373

eZ Publish object relations security bypass undefined Vulnerability Report
Third Party Advisory;VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86367

eZ Publish BrowserView module cross-site scripting undefined Vulnerability Report
Third Party Advisory;VDB Entry
http://www.securityfocus.com/bid/61715

Symfony CVE-2013-4752 HTTP Header Spoofing Security Bypass Vulnerability
Third Party Advisory;VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86374

eZ Publish Request.php URL spoofing undefined Vulnerability Report
Third Party Advisory;VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86370

eZ Publish error page denial of service undefined Vulnerability Report
Third Party Advisory;VDB Entry
http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released

Security releases: Symfony 2.0.24, 2.1.12, 2.2.5, and 2.3.3 released (Symfony Blog)
Patch;Vendor Advisory

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/86372

eZ Publish admin design cross-site scripting undefined Vulnerability Report
Third Party Advisory;VDB Entry
http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114461.html

[SECURITY] Fedora 18 Update: php-symfony2-HttpFoundation-2.2.5-1.fc18
Third Party Advisory

Jump to

Vulnerability Details : CVE-2013-4752

Products affected by CVE-2013-4752

Exploit prediction scoring system (EPSS) score for CVE-2013-4752

CVSS scores for CVE-2013-4752

CWE ids for CVE-2013-4752

References for CVE-2013-4752