Security advisory: IBEXA-SA-2023-006

Vulnerabilities in Symfony 5.4
Publication date:
10/11/2023, 17:20

Severity:
High

Affected versions: symfony/symfony v5.4.* (Ibexa DXP v4.5 and v3.3)
Resolving versions: symfony/symfony v5.4.31 (Ibexa DXP v4.5 and v3.3)

This security advisory resolves two vulnerabilies in the 3rd party Symfony dependency. Before version 5.4.31 of that package it was vulnerable to XSS in certain CodeExtension Twig filters, and a possible session fixation vulnerability. The update resolves the issues.
 

You can read more in Symfony's release log: https://github.com/symfony/symfony/releases/tag/v5.4.31


Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories