Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc5OTYtcTVyOC13N2cy

Symfony Cross-site Scripting (XSS) vulnerability

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

Permalink: https://github.com/advisories/GHSA-g996-q5r8-w7g2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc5OTYtcTVyOC13N2cy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 4 years ago
Updated: 2 months ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-g996-q5r8-w7g2, CVE-2019-10909
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-10909
• https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2019-10909.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10909.yaml
• https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine
• https://symfony.com/cve-2019-10909
• https://www.drupal.org/sa-core-2019-005
• https://www.synology.com/security/advisory/Synology_SA_19_19
• https://github.com/advisories/GHSA-g996-q5r8-w7g2

Affected Packages