| |
Vulnerability CVE-2019-10909
Published: 2019-05-16 Modified: 2019-05-17
Description: |
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. |
Type:
CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
CVSS2 => (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVSS Base Score |
Impact Subscore |
Exploitability Subscore |
3.5/10 |
2.9/10 |
6.8/10 |
Exploit range |
Attack complexity |
Authentication |
Remote |
Medium |
Single time |
Confidentiality impact |
Integrity impact |
Availability impact |
None |
Partial |
None |
References: |
https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2
https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine
https://www.drupal.org/sa-core-2019-005
|
|
|
Copyright 2024, cxsecurity.com
|
|
|