CVE-2019-10913 – symfony/http-foundation

Package

Manager: composer
Name: symfony/http-foundation
Vulnerable Version: >=2.7.0 <2.7.51 || >=2.8.0 <2.8.50 || >=3.0.0 <3.4.26 || >=4.0.0 <4.1.12 || >=4.2.0 <4.2.7

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00257 pctl0.48902

Details

Invalid HTTP method overrides allow possible XSS or other attacks in Symfony In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.

Metadata

Created: 2019-12-02T18:10:24Z
Modified: 2021-08-19T15:18:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-x92h-wmg2-6hp7/GHSA-x92h-wmg2-6hp7.json
CWE IDs: ["CWE-79", "CWE-89"]
Alternative ID: GHSA-x92h-wmg2-6hp7
Finding: F425
Auto approve: 1