CVE-2013-1348 — Code Injection in Symfony

CWE-94 — Code Injection5 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.6%

top 29.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Symfony Yaml Sensiolabs Symfony

Timeline

PublishedJun 2

Latest updateMay 17

Description

The Yaml::parse function in Symfony 2.0.x before 2.0.22 remote attackers to execute arbitrary PHP code via a PHP file, a different vulnerability than CVE-2013-1397.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶Packagistsymfony/yaml2.0.0 — 2.0.22

▶Packagistsymfony/symfony2.0.0 — 2.0.22

▶NVDsensiolabs/symfony22 versions+21

🔴Vulnerability Details

GHSA

Symphony Vulnerable to PHP Code Injection via YAML Parsing↗2022-05-17

▶

OSV

Symphony Vulnerable to PHP Code Injection via YAML Parsing↗2022-05-17

▶

GHSA

Symfony Arbitrary PHP code Execution↗2022-05-17

▶

CVEList

CVE-2013-1348: The Yaml::parse function in Symfony 2↗2014-06-02

▶