cbcvebase.
CVE-2019-10909
published 2019-05-16

CVE-2019-10909: In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can…

PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
1.05%
59.9th percentile
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
debiansymfony< symfony 3.4.22+dfsg-2 (bookworm)symfony 3.4.22+dfsg-2 (bookworm)
drupalcore>= 8.0.0 < 8.5.158.5.15
drupalcore>= 8.6.0 < 8.6.158.6.15
drupaldrupal>= 8.0.0 < 8.5.158.5.15
drupaldrupal>= 8.5.0 < 8.5.158.5.15
drupaldrupal>= 8.6.0 < 8.6.158.6.15
drupaldrupal>= 8.6.0 < 8.6.158.6.15
drupaldrupal_core
sensiolabssymfony>= 2.7.0 < 2.7.512.7.51
sensiolabssymfony>= 2.8.0 < 2.8.502.8.50
sensiolabssymfony>= 3.4.0 < 3.4.263.4.26
sensiolabssymfony>= 4.1.0 < 4.1.124.1.12
sensiolabssymfony>= 4.2.0 < 4.2.74.2.7
symfonyframework-bundle>= 2.7.0 < 2.7.512.7.51
symfonyframework-bundle>= 2.8.0 < 2.8.502.8.50
symfonyframework-bundle>= 3.0.0 < 3.4.263.4.26
symfonyframework-bundle>= 4.0.0 < 4.1.124.1.12
symfonyframework-bundle>= 4.2.0 < 4.2.74.2.7
symfonysymfony>= 0 < 3.4.22+dfsg-23.4.22+dfsg-2
symfonysymfony>= 0 < 3.4.22+dfsg-23.4.22+dfsg-2
symfonysymfony>= 0 < 3.4.22+dfsg-23.4.22+dfsg-2
symfonysymfony>= 0 < 3.4.22+dfsg-23.4.22+dfsg-2
symfonysymfony>= 2.7.0 < 2.7.512.7.51
symfonysymfony>= 2.8.0 < 2.8.502.8.50
symfonysymfony>= 3.0.0 < 3.4.263.4.26

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv5.4MEDIUM
vendor_debian5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.