{"id":"CVE-2017-16652","details":"An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.","aliases":["GHSA-r7p7-qr7p-2rrf"],"modified":"2026-04-10T03:58:51.921505Z","published":"2018-06-13T16:29:00.267Z","references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html"},{"type":"ADVISORY","url":"https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"0"},{"fixed":"b95964ae888c9e25ad7c3eee22730c68b33b1a8b"},{"introduced":"0"},{"fixed":"fa9fa59d7bf9d5c73a264d348f0da793cafdc73c"},{"introduced":"0"},{"fixed":"fc9f9470e81e6fb59bd826d8040b961f7ed30f94"},{"introduced":"5a7e31c48e7cd4831efa409fffb661beb9995174"},{"fixed":"9b0226340705f75fd0cebd220746a36050ead8a9"},{"introduced":"0"},{"last_affected":"2e913a829cfbbf9cb38b321bdff1806b44b192eb"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.7.38"},{"introduced":"0"},{"fixed":"2.8.31"},{"introduced":"0"},{"fixed":"3.2.14"},{"introduced":"3.3.0"},{"fixed":"3.3.13"},{"introduced":"0"},{"last_affected":"8.0"}]}}],"versions":["v2.0.0","v2.0.0-RC1","v2.0.0-RC2","v2.0.0-RC3","v2.0.0-RC4","v2.0.0-RC5","v2.0.0-RC6","v2.0.0BETA1","v2.0.0BETA2","v2.0.0BETA3","v2.0.0BETA4","v2.0.0BETA5","v2.0.0PR8","v2.1.0","v2.1.0-BETA1","v2.1.0-BETA2","v2.1.0-BETA3","v2.1.0-BETA4","v2.1.0-RC1","v2.1.0-RC2","v2.2.0-BETA1","v2.2.0-BETA2","v2.3.0-BETA1","v2.3.0-BETA2","v2.4.0-BETA1","v2.4.0-BETA2","v2.5.0-BETA1","v2.5.0-BETA2","v2.6.0-BETA1","v2.7.0","v2.7.0-BETA1","v2.7.0-BETA2","v2.7.1","v2.7.10","v2.7.11","v2.7.12","v2.7.13","v2.7.14","v2.7.15","v2.7.16","v2.7.17","v2.7.18","v2.7.19","v2.7.2","v2.7.20","v2.7.21","v2.7.22","v2.7.23","v2.7.24","v2.7.25","v2.7.26","v2.7.27","v2.7.28","v2.7.29","v2.7.3","v2.7.30","v2.7.31","v2.7.32","v2.7.33","v2.7.34","v2.7.35","v2.7.36","v2.7.37","v2.7.4","v2.7.5","v2.7.6","v2.7.7","v2.7.8","v2.7.9","v2.8.0","v2.8.0-BETA1","v2.8.1","v2.8.10","v2.8.11","v2.8.12","v2.8.13","v2.8.14","v2.8.15","v2.8.16","v2.8.17","v2.8.18","v2.8.19","v2.8.2","v2.8.20","v2.8.21","v2.8.22","v2.8.23","v2.8.24","v2.8.25","v2.8.26","v2.8.27","v2.8.28","v2.8.29","v2.8.3","v2.8.30","v2.8.4","v2.8.5","v2.8.6","v2.8.7","v2.8.8","v2.8.9","v3.0.0","v3.0.0-BETA1","v3.2.0","v3.2.0-BETA1","v3.2.0-RC1","v3.2.0-RC2","v3.2.1","v3.2.10","v3.2.11","v3.2.12","v3.2.13","v3.2.2","v3.2.3","v3.2.4","v3.2.5","v3.2.6","v3.2.7","v3.2.8","v3.2.9","v3.3.0","v3.3.0-BETA1","v3.3.1","v3.3.10","v3.3.11","v3.3.12","v3.3.2","v3.3.3","v3.3.4","v3.3.5","v3.3.6","v3.3.7","v3.3.8","v3.3.9","v4.0.0-BETA1","v4.0.0-BETA2","v4.0.0-BETA3","v4.0.0-BETA4","v4.2.0-BETA1","v4.2.0-BETA2","v4.3.0-BETA1","v5.0.0-BETA1","v5.0.0-BETA2","v5.0.0-RC1","v5.1.0-BETA1","v5.2.0-BETA1","v5.2.0-BETA2","v5.2.0-BETA3","v5.3.0-BETA1","v5.3.0-BETA2","v5.3.0-BETA3","v5.3.0-BETA4","v6.0.0-BETA1","v6.0.0-BETA2","v6.0.0-BETA3","v6.0.0-RC1","v6.1.0-BETA1","v6.1.0-BETA2","v6.1.0-RC1","v6.2.0-BETA1","v6.2.0-BETA2","v6.2.0-BETA3","v6.3.0-BETA1","v6.3.0-BETA2","v6.3.0-BETA3","v6.3.0-RC1","v7.0.0-BETA1","v7.0.0-BETA2","v7.0.0-BETA3","v7.0.0-RC1","v7.1.0-BETA1","v7.1.0-RC1","v7.2.0-BETA1","v7.2.0-BETA2","v7.2.0-RC1","v7.3.0-BETA1","v7.3.0-BETA2","v7.3.0-RC1","v8.0.0","v8.0.0-BETA1","v8.0.0-BETA2","v8.0.0-RC1","v8.0.0-RC2","v8.0.0-RC3","vPR3","vPR4","vPR5","vPR6","vPR8","vPR9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16652.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}