cbcvebase.
CVE-2015-4050
published 2015-06-02

CVE-2015-4050: FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or…

PriorityP336medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
8.27%
94.2th percentile
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.

Affected

40 ranges· showing 25
VendorProductVersion rangeFixed in
debiansymfony< symfony 2.7.0~beta2+dfsg-2 (bookworm)symfony 2.7.0~beta2+dfsg-2 (bookworm)
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony
sensiolabssymfony

Detection & IOCsextracted from sources · hover to see the quote

url/_fragment?_path=_controller=phpcredits&flag=-1
path/_fragment
  • Look for GET requests to /_fragment with no hash or an invalid/missing hash parameter, especially with _path=_controller= in the query string
  • Nuclei template matches response body containing 'PHP Credits' with HTTP 200 from the exploit path, indicating successful controller invocation via bypass
  • Victims return HTTP 403 response body with content generated by the controller — a 403 with non-empty body from /_fragment is a sign of exploitation
  • Shodan query to identify exposed Symfony instances: cpe:"cpe:2.3:a:sensiolabs:symfony"
  • ·Vulnerability is only exploitable when ESI or SSI support is enabled in Symfony's HttpKernel component; installations without ESI/SSI are not affected
  • ·The bypass works because FragmentListener skips signing checks for sub-requests; the ExceptionListener re-triggers kernel events via sub-request after the initial 403, allowing the controller to execute
  • ·Affected versions: Symfony 2.3.19–2.3.28, 2.4.9–2.4.10, 2.5.4–2.5.11, 2.6.0–2.6.7; fixed in 2.3.29, 2.5.12, and 2.6.8

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.