CVE-2019-10913
CRITICAL9.8EPSS 0.26%Invalid HTTP method overrides allow possible XSS or other attacks in Symfony
發布日:2019/12/2修改日:2026/5/27
描述
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.
受影響套件(3)
- Debian/symfonyfrom 0, < 3.4.22+dfsg-2
- Packagist/symfony/http-foundation>= 2.7.0, < 2.7.51
- Packagist/symfony/symfony>= 2.7.0, < 2.7.51
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10913
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-10913
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-10913.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10913.yaml
- WEBhttps://github.com/symfony/symfony/commit/944e60f083c3bffbc6a0b5112db127a10a66a8ec
- WEBhttps://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides
- WEBhttps://symfony.com/cve-2019-10913