CVE-2015-2308 — Code Injection in Http-kernel

CWE-94 — Code Injection6 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

0.5%

top 32.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Symfony Http-kernel Sensiolabs Symfony

Timeline

PublishedJun 24

Latest updateMay 17

Description

Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages4 packages

▶Packagistsymfony/symfony2.0.0 — 2.3.27+2

▶Packagistsymfony/http-kernel2.0.0 — 2.3.27+2

▶Debiansymfony/symfony< 2.3.21+dfsg-4+3

▶NVDsensiolabs/symfony75 versions+74

Patches

Patch: symfony.com ↗Patch: symfony.com ↗

🔴Vulnerability Details

OSV

Symfony Vulnerable to PHP Eval Injection↗2022-05-17

▶

GHSA

Symfony Vulnerable to PHP Eval Injection↗2022-05-17

▶

CVEList

CVE-2015-2308: Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2↗2015-06-24

▶

OSV

CVE-2015-2308: Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2↗2015-06-24

▶

📋Vendor Advisories

Debian

CVE-2015-2308: symfony - Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x...↗2015

▶