CVE-2019-11325 — Improper Encoding or Escaping of Output in Symfony

CWE-116 — Improper Encoding or Escaping of Output6 documents5 sources

Severity

9.8CRITICALNVD

EPSS

4.7%

top 10.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Sensiolabs Symfony Symfony Var-exporter

Timeline

PublishedNov 21

Latest updateFeb 12

Description

An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶Packagistsymfony/var-exporter4.2.0 — 4.2.12+1

▶Packagistsymfony/symfony4.2.0 — 4.2.12+1

▶NVDsensiolabs/symfony4.2.0 — 4.2.12+1

▶Debiansymfony/symfony< 4.3.8+dfsg-1+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Improper Input Validation in Symfony↗2020-02-12

▶

GHSA

Improper Input Validation in Symfony↗2020-02-12

▶

CVEList

CVE-2019-11325: An issue was discovered in Symfony before 4↗2019-11-21

▶

OSV

CVE-2019-11325: An issue was discovered in Symfony before 4↗2019-11-21

▶

📋Vendor Advisories

Debian

CVE-2019-11325: symfony - An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The Var...↗2019

▶