Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-MMCV-FVQ8-R9X3
HistoryMay 30, 2024 - 12:17 p.m.

Symfony XML decoding attack vector through external entities

2024-05-3012:17:20
CWE-502
GitHub Advisory Database
github.com
2
symfony
xmlencoder
xml decoding
attack vector
external entities
security vulnerability
file system

7.2 High

AI Score

Confidence

High

JSON

The XMLEncoder component of Symfony 2.0.x fails to disable external entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system.

Affected configurations

Vulners
Node
symfonytwigRange<2.0.11
CPENameOperatorVersion
symfony/symfonylt2.0.11

7.2 High

AI Score

Confidence

High

JSON