Arbitrary Code Injection

2017-07-2808:49:25

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

Symfony is vulnerable to arbitrary code injection attacks. A malicious user can inject and execute arbitrary PHP code with a language=“php” attribute of a SCRIPT element through the Symfony\Component\HttpKernel\HttpCache class. This vulnerability only affects applications with ESI or SSI support enabled.

CPENameOperatorVersion
symfony/symfonyle2.5.10
symfony/symfonyle2.1.13
symfony/symfonyle2.0.25
symfony/symfonyle2.3.26
symfony/symfonyle2.6.5
symfony/symfonyle2.2.11
symfony/symfonyle2.4.x-dev

Name	Operator	Version
symfony/symfony	le	2.5.10
symfony/symfony	le	2.1.13
symfony/symfony	le	2.0.25
symfony/symfony	le	2.3.26
symfony/symfony	le	2.6.5
symfony/symfony	le	2.2.11
symfony/symfony	le	2.4.x-dev