Fluid Attacks Database

Description

Invalid HTTP method overrides allow possible XSS or other attacks in Symfony In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	symfony/http-foundation	>=2.7.0 <2.7.51 \|\| >=2.8.0 <2.8.50 \|\| >=3.0.0 <3.4.26 \|\| >=4.0.0 <4.1.12 \|\| >=4.2.0 <4.2.7	2.7.51, 2.8.50, 3.4.26, 4.1.12, 4.2.7
debian 11	symfony	>=0 <3.4.22+dfsg-2	3.4.22+dfsg-2
packagist	symfony/symfony	>=2.7.0 <2.7.51 \|\| >=2.8.0 <2.8.50 \|\| >=3.0.0 <3.4.26 \|\| >=4.0.0 <4.1.12 \|\| >=4.2.0 <4.2.7	2.7.51, 2.8.50, 3.4.26, 4.1.12, 4.2.7
debian 12	symfony	>=0 <3.4.22+dfsg-2	3.4.22+dfsg-2
debian 13	symfony	>=0 <3.4.22+dfsg-2	3.4.22+dfsg-2
debian 14	symfony	>=0 <3.4.22+dfsg-2	3.4.22+dfsg-2

Aliases

1. CVE-2019-109132. NVD-2019-109133. OSV-2019-109134. OSV-DEBIAN-2019-109135. GCVE-2019-109136. SECURITY-TRACKER-CVE-2019-10913

References

1. https://github.com/symfony/symfony/commit/944e60f083c3bffbc6a0b5112db127a10a66a8ec2. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-10913.yaml3. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10913.yaml4. https://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides5. https://symfony.com/cve-2019-10913

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.