CVE-2018-14773 log

Severity Medium
Remote Yes
Type Access restriction bypass
Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.

The fix drops support for these two obsolete IIS headers: X-Original-URL and X_REWRITE_URL.
Group Package Affected Fixed Severity Status Ticket
AVG-744 drupal 8.5.5-1 8.5.6-1 Medium Fixed