CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2017-16790
https://notcve.org/view.php?id=CVE-2017-16790
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST data and uploaded files data into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a "FileType" is sent as normal POST data that could be interpreted as a local file path on the server-side (for example, "file:///etc/passwd"). • https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files https://www.debian.org/security/2018/dsa-4262 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2017-16654
https://notcve.org/view.php?id=CVE-2017-16654
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal. • https://github.com/symfony/symfony/pull/24994 https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths https://www.debian.org/security/2018/dsa-4262 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2018-14774
https://notcve.org/view.php?id=CVE-2018-14774
An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection. Se ha descubierto un problema en HttpKernel en Symfony, desde la versión 2.7.0 hasta la 2.7.48, desde la versión 2.8.0 hasta la 2.8.43, desde la versión 3.3.0 hasta la 3.3.17, desde la versión 3.4.0 hasta la 3.4.13, desde la versión 4.0.0 hasta la 4.0.13 y desde la versión 4.1.0 hasta la 4.1.2. Al emplear HttpCache, los valores de las cabeceras X-Forwarded-Host se asignan implícitamente como fiables, aunque debería estar prohibido, lo que conduce a una potencial inyección de cabeceras host. • https://github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 87%CPEs: 9EXPL: 0CVE-2018-14773
https://notcve.org/view.php?id=CVE-2018-14773
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning. • http://www.securityfocus.com/bid/104943 http://www.securitytracker.com/id/1041405 https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html https://seclists.org/bugtraq/2019/May/21 https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers https://www.debian.org/security/2019/dsa-4441 https://www.drupal.org/SA-CORE-2018-005 •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 2CVE-2017-18343
https://notcve.org/view.php?id=CVE-2017-18343
The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar ** EN DISPUTA ** El manipulador de depuración en Symfony, en versiones anteriores a la v2.7.33, versiones 2.8.x anteriores a la v2.8.26, versiones 3.x anteriores a la v3.2.13 y versiones 3.3.x anteriores a la v3.3.6, tiene Cross-Site Scripting (XSS) mediante una clave de array durante la impresión de excepciones pretty en ExceptionHandler.php, tal y como queda demostrado con un URI /_debugbar/open?op=get. • https://github.com/barryvdh/laravel-debugbar/issues/850 https://github.com/symfony/debug/pull/7/commits/e48bda29143bd1a83001780b4a78e483822d985c https://github.com/symfony/symfony/issues/27987 https://github.com/symfony/symfony/pull/23684 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •