Improper Input Validation in Symfony · CVE-2019-11325 · GitHub Advisory Database · GitHub

Improper Input Validation in Symfony

Critical severity GitHub Reviewed Published Feb 12, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

symfony/symfony (Composer)

Affected versions

>= 4.2.0, < 4.2.12

>= 4.3.0, < 4.3.8

Patched versions

4.2.12

4.3.8

symfony/var-exporter (Composer)

>= 4.2.0, < 4.2.12

>= 4.3.0, < 4.3.8

4.2.12

4.3.8

Description

An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.

References

Reviewed Feb 11, 2020

Published to the GitHub Advisory Database Feb 12, 2020

Last updated Jan 9, 2023

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H