CVE-2019-10909
MEDIUM5.4EPSS 0.36%symfony - security update
發布日:2019/11/12修改日:2026/5/27
描述
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
受影響套件(6)
- Debian/symfonyfrom 0, < 3.4.22+dfsg-2
- Debian/symfonyfrom 0, < 2.3.21+dfsg-4+deb8u5
- Packagist/drupal/core>= 8.0.0, < 8.5.15
- Packagist/drupal/drupal>= 8.0.0, < 8.5.15
- Packagist/symfony/framework-bundle>= 2.7.0, < 2.7.51
- Packagist/symfony/symfony>= 2.7.0, < 2.7.51
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
參考連結(11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10909
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-10909
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-10909.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-10909.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2019-10909.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10909.yaml
- WEBhttps://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2
- WEBhttps://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine
- WEBhttps://symfony.com/cve-2019-10909
- WEBhttps://www.drupal.org/sa-core-2019-005
- WEBhttps://www.synology.com/security/advisory/Synology_SA_19_19