oro/platform vulnerable to CVE-2023-46733 and CVE-2023-46734

Summary
The latest version of oro/platform is vulnerable to CVE-2023-46733 and CVE-2023-46734 vulnerabilities.

Links: https://symfony.com/blog/cve-2023-46734-potential-xss-vulnerabilities-in-codeextension-filters https://symfony.com/blog/cve-2023-46733-possible-session-fixation

These vulnerabilities has been fixed in v5.4.31 of packages symfony/security-http and symfony/twig-bridge.

Steps to reproduce

 git clone https://github.com/oroinc/platform.git
 cd platform
 git checkout 5.0.12
 composer install --ignore-platform-reqs
 composer audit

Actual Result

+-------------------+----------------------------------------------------------------------------------+
| Package           |                                                           |
| CVE               | CVE-2023-46733                                                                   |
| Title             | CVE-2023-46733: Possible session fixation                                        |
| URL               | https://symfony.com/cve-2023-46733                                               |
| Affected versions | >=5.4.0,<5.4.31|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.3.8      |
| Reported at       | 2023-11-10T08:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/twig-bridge                                                              |
| CVE               | CVE-2023-46734                                                                   |
| Title             | CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters           |
| URL               | https://symfony.com/cve-2023-46734                                               |
| Affected versions | >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5 |
|                   | .0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3 |
|                   | .2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0| |
|                   | >=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.51|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5. |
|                   | 2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.31|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0, |
|                   | <6.3.0|>=6.3.0,<6.3.8                                                            |
| Reported at       | 2023-11-10T08:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Expected Result

No vulnerabilities found.

Details about your environment

OroPlatform version: 5.0.12
PHP version: v8.1.2 (packages installed with --ignore-platform-reqs option)
Database (MySQL, PostgreSQL) version : Not applicable

oroinc / platform

oro/platform vulnerable to CVE-2023-46733 and CVE-2023-46734 #1107