CVE-2019-10909
published 2019-05-16CVE-2019-10909: In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can…
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
1.05%
59.9th percentile
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | symfony | < symfony 3.4.22+dfsg-2 (bookworm) | symfony 3.4.22+dfsg-2 (bookworm) |
| drupal | core | >= 8.0.0 < 8.5.15 | 8.5.15 |
| drupal | core | >= 8.6.0 < 8.6.15 | 8.6.15 |
| drupal | drupal | >= 8.0.0 < 8.5.15 | 8.5.15 |
| drupal | drupal | >= 8.5.0 < 8.5.15 | 8.5.15 |
| drupal | drupal | >= 8.6.0 < 8.6.15 | 8.6.15 |
| drupal | drupal | >= 8.6.0 < 8.6.15 | 8.6.15 |
| drupal | drupal_core | — | — |
| sensiolabs | symfony | >= 2.7.0 < 2.7.51 | 2.7.51 |
| sensiolabs | symfony | >= 2.8.0 < 2.8.50 | 2.8.50 |
| sensiolabs | symfony | >= 3.4.0 < 3.4.26 | 3.4.26 |
| sensiolabs | symfony | >= 4.1.0 < 4.1.12 | 4.1.12 |
| sensiolabs | symfony | >= 4.2.0 < 4.2.7 | 4.2.7 |
| symfony | framework-bundle | >= 2.7.0 < 2.7.51 | 2.7.51 |
| symfony | framework-bundle | >= 2.8.0 < 2.8.50 | 2.8.50 |
| symfony | framework-bundle | >= 3.0.0 < 3.4.26 | 3.4.26 |
| symfony | framework-bundle | >= 4.0.0 < 4.1.12 | 4.1.12 |
| symfony | framework-bundle | >= 4.2.0 < 4.2.7 | 4.2.7 |
| symfony | symfony | >= 0 < 3.4.22+dfsg-2 | 3.4.22+dfsg-2 |
| symfony | symfony | >= 0 < 3.4.22+dfsg-2 | 3.4.22+dfsg-2 |
| symfony | symfony | >= 0 < 3.4.22+dfsg-2 | 3.4.22+dfsg-2 |
| symfony | symfony | >= 0 < 3.4.22+dfsg-2 | 3.4.22+dfsg-2 |
| symfony | symfony | >= 2.7.0 < 2.7.51 | 2.7.51 |
| symfony | symfony | >= 2.8.0 < 2.8.50 | 2.8.50 |
| symfony | symfony | >= 3.0.0 < 3.4.26 | 3.4.26 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv5.4MEDIUM
vendor_debian5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Drupal
Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005
vendor_drupal·2019-04-17·CVSS 5.4
CVE-2019-10909 [MEDIUM] Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005
Title: Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005
Vulnerability Type: Multiple Vulnerabilities
Description: This security release fixes third-party dependencies included in or required by Drupal core. CVE-2019-10909: Escape validation messages in the PHP templating engine . From that advisory: Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS. CVE-2019-10910: Check service IDs are valid . From that advisory: Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution. CVE-2019-10911: Add a separator in the remember me cookie hash . From that advisory
Debian
CVE-2019-10909: symfony - In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1...
vendor_debian·2019·CVSS 5.4
CVE-2019-10909 [MEDIUM] CVE-2019-10909: symfony - In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1...
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
Scope: local
bookworm: resolved (fixed in 3.4.22+dfsg-2)
bullseye: resolved (fixed in 3.4.22+dfsg-2)
forky: resolved (fixed in 3.4.22+dfsg-2)
sid: resolved (fixed in 3.4.22+dfsg-2)
trixie: resolved (fixed in 3.4.22+dfsg-2)
OSV
Symfony Cross-site Scripting (XSS) vulnerability
osv·2019-11-12
CVE-2019-10909 [MEDIUM] Symfony Cross-site Scripting (XSS) vulnerability
Symfony Cross-site Scripting (XSS) vulnerability
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
GHSA
Symfony Cross-site Scripting (XSS) vulnerability
ghsa·2019-11-12
CVE-2019-10909 [MEDIUM] CWE-79 Symfony Cross-site Scripting (XSS) vulnerability
Symfony Cross-site Scripting (XSS) vulnerability
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
OSV
CVE-2019-10909: In Symfony before 2
osv·2019-05-16·CVSS 5.4
CVE-2019-10909 [MEDIUM] CVE-2019-10909: In Symfony before 2
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
OSV
CVE-2019-10909: This security release fixes third-party dependencies included in or required by Drupal core
osv·2019-04-17·CVSS 5.4
CVE-2019-10909 [MEDIUM] CVE-2019-10909: This security release fixes third-party dependencies included in or required by Drupal core
This security release fixes third-party dependencies included in or required by Drupal core.
* [CVE-2019-10909: Escape validation messages in the PHP templating engine](https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine). From that advisory:
> Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS.
* [CVE-2019-10910: Check service IDs are valid](https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid). From that advisory:
> Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution.
* [CVE-2019-10911: Add a separator in the remember me
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [epel-all]
bugzilla·2019-06-12·CVSS 5.3
CVE-2019-10909 [MEDIUM] CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [epel-all]
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog an
Bugzilla
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7
bugzilla·2019-06-12·CVSS 5.3
CVE-2019-10909 [MEDIUM] CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7
Multiple vulnerabilities were discovered in the Symfony PHP framework
which could lead to cache bypass, authentication bypass, information
disclosure, open redirect, cross-site request forgery, deletion of
arbitrary files, or arbitrary code execution.
References:
https://www.debian.org/security/2019/dsa-4441
https://security-tracker.debian.org/tracker/symfony
Discussion:
Created php-symfony tracking bugs for this issue:
Affects: epel-all [bug 1719512]
Affects: fedora-all [bug 1719511]
Created php-symfony3 tracking bugs for this issue:
Affects: fedora-all [bug 1719513]
Created php-symfony4 tracking bugs for this issue:
Affects: fe
Bugzilla
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
bugzilla·2019-06-12·CVSS 5.3
CVE-2019-10909 [MEDIUM] CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelo
Bugzilla
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony4: php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
bugzilla·2019-06-12·CVSS 5.3
CVE-2019-10909 [MEDIUM] CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony4: php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony4: php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in th
Bugzilla
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony3: php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
bugzilla·2019-06-12·CVSS 5.3
CVE-2019-10909 [MEDIUM] CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony3: php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony3: php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in th
https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-enginehttps://www.drupal.org/sa-core-2019-005https://www.synology.com/security/advisory/Synology_SA_19_19https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-enginehttps://www.drupal.org/sa-core-2019-005https://www.synology.com/security/advisory/Synology_SA_19_19
2019-05-16
Published