Skip to content

oro/platform vulnerable to CVE-2023-46733 and CVE-2023-46734 #1107

New issue
New issue
Open
Open
oro/platform vulnerable to CVE-2023-46733 and CVE-2023-46734#1107
@ndeg

Description

@ndeg
ndeg
opened on Nov 13, 2023

Summary
The latest version of oro/platform is vulnerable to CVE-2023-46733 and CVE-2023-46734 vulnerabilities.

Links:
https://symfony.com/blog/cve-2023-46734-potential-xss-vulnerabilities-in-codeextension-filters
https://symfony.com/blog/cve-2023-46733-possible-session-fixation

These vulnerabilities has been fixed in v5.4.31 of packages symfony/security-http and symfony/twig-bridge.

Steps to reproduce

 git clone https://github.com/oroinc/platform.git
 cd platform
 git checkout 5.0.12
 composer install --ignore-platform-reqs
 composer audit

Actual Result

+-------------------+----------------------------------------------------------------------------------+
| Package           |                                                           |
| CVE               | CVE-2023-46733                                                                   |
| Title             | CVE-2023-46733: Possible session fixation                                        |
| URL               | https://symfony.com/cve-2023-46733                                               |
| Affected versions | >=5.4.0,<5.4.31|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.3.8      |
| Reported at       | 2023-11-10T08:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/twig-bridge                                                              |
| CVE               | CVE-2023-46734                                                                   |
| Title             | CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters           |
| URL               | https://symfony.com/cve-2023-46734                                               |
| Affected versions | >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5 |
|                   | .0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3 |
|                   | .2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0| |
|                   | >=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.51|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5. |
|                   | 2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.31|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0, |
|                   | <6.3.0|>=6.3.0,<6.3.8                                                            |
| Reported at       | 2023-11-10T08:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Expected Result

No vulnerabilities found.

Details about your environment

  • OroPlatform version: 5.0.12
  • PHP version: v8.1.2 (packages installed with --ignore-platform-reqs option)
  • Database (MySQL, PostgreSQL) version : Not applicable

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions