JVN#19578958: Symfony vulnerable to code injection

Symfony is an open source web application framework provided by SensioLabs. Symfony contains a code injection vulnerability. Applications with ESI support enabled and using the Symfony built-in reverse proxy (the HttpCache class) are affected.

Impact

Arbitrary PHP code may be executed on the server where an application using Symfony resides.

Solution

Update the software
Update to the appropriate version according to the information provided by the developer.
This vulnerability has been addressed in Symfony 2.3.27, 2.5.11 and 2.6.6.

Note that Symfony 2.0, 2.1, 2.2 and 2.4 are no longer being developed or supported therefore this issue has not been fixed in these versions.

Products Affected

• Symfony 2.0.x, 2.1.x, 2.2.x, 2.3.x, 2.4.x, 2.5.x, 2.6.x