CVE-2019-10909 – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=8.0.0 <8.5.15 || >=8.6.0 <8.6.15

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00516 pctl0.65722

Details

Symfony Cross-site Scripting (XSS) vulnerability In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

Metadata

Created: 2019-11-12T23:00:53Z
Modified: 2024-02-14T15:22:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-g996-q5r8-w7g2/GHSA-g996-q5r8-w7g2.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-g996-q5r8-w7g2
Finding: F425
Auto approve: 1