CVE-2019-10909

MEDIUM

Sensiolabs Symfony < 2.7.51 - XSS

Title source: rule

Description

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

Exploits (1)

nomisec SCANNER

by moften · poc

https://github.com/moften/Symfony-CVE-Scanner-PoC-

View Code ZIP pw:eip

References (4)

[Patch, Third Party Advisory] https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2

[Vendor Advisory] https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine

[Third Party Advisory] https://www.drupal.org/sa-core-2019-005

[Third Party Advisory] https://www.synology.com/security/advisory/Synology_SA_19_19

Scores

CVSS v3 5.4

EPSS 0.0036

EPSS Percentile 57.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (6)

drupal/core 8.0.0 - 8.5.15Packagist

drupal/drupal 8.0.0 - 8.5.15Packagist

drupal/drupal 8.5.0 - 8.5.15

sensiolabs/symfony 2.7.0 - 2.7.51

symfony/framework-bundle 2.7.0 - 2.7.51Packagist

symfony/symfony 2.7.0 - 2.7.51Packagist

Published May 16, 2019

Tracked Since Feb 18, 2026