CVE-2019-10909 – symfony/framework-bundle

Package

Manager: composer
Name: symfony/framework-bundle
Vulnerable Version: >=2.7.0 <2.7.51 || >=2.8.0 <2.8.50 || >=3.0.0 <3.4.26 || >=4.0.0 <4.1.12 || >=4.2.0 <4.2.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00615 pctl0.68957

Details

Symfony Cross-site Scripting (XSS) vulnerability In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

Metadata

Created: 2019-11-12T23:00:53Z
Modified: 2024-02-14T15:22:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-g996-q5r8-w7g2/GHSA-g996-q5r8-w7g2.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-g996-q5r8-w7g2
Finding: F425
Auto approve: 1