FOSRestBundle issue with broken validation of JSONP callbacks
Moderate severity
GitHub Reviewed
Published
May 15, 2024
to the GitHub Advisory Database
•
Updated May 15, 2024
Package
Affected versions
>= 1.2.0, < 1.2.2
Patched versions
1.2.2
Description
Published to the GitHub Advisory Database
May 15, 2024
Reviewed
May 15, 2024
Last updated
May 15, 2024
Starting with FOSRestBundle 1.2 we switched to using willdurand/jsonp-callback-validator for validation of JSONP callbacks. However the change was implemented incorrectly validating the callback query param name, rather than its value. Anyone using the JSONP handler (which is off by default) together with FOSRestBundle 1.2.0 or 1.2.1 should update to FOSRestBundle 1.2.2.
References