The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.
https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html
https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers
Source: MITRE
Published: 2018-06-13
Updated: 2019-03-13
Type: CWE-601
Base Score: 5.8
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Impact Score: 4.9
Exploitability Score: 8.6
Severity: MEDIUM
Base Score: 6.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Impact Score: 2.7
Exploitability Score: 2.8
Severity: MEDIUM