The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Symfony

vulnerability CVE-2019-10909 CVE-2019-11358

jQuery, Symfony: Cross Site Scripting via templates

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Drupal Core, Fedora, Grafana, IBM API Connect, Joomla Extensions ~ not comprehensive, Red Hat SSO, Symfony, Synology DSM, TYPO3 Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 18/04/2019.
Identifiers: CERTFR-2019-AVI-180, CVE-2019-10909, CVE-2019-11358, DLA-1777-1, DLA-1777-2, DLA-1778-1, DLA-1797-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4434-1, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, RHSA-2019:1456-01, Synology-SA-19:19, TYPO3-CORE-SA-2019-009, TYPO3-CORE-SA-2019-010, TYPO3-CORE-SA-2019-011, TYPO3-CORE-SA-2019-012, TYPO3-CORE-SA-2019-013, TYPO3-PSA-2019-004, TYPO3-PSA-2019-005, TYPO3-PSA-2019-006, VIGILANCE-VUL-29070.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2019-10912

Symfony: read-write access via destructors

Synthesis of the vulnerability

An attacker can bypass access restrictions via destructors of Symfony, in order to delete or alter data.
Impacted products: Debian, Fedora, Symfony.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 18/04/2019.
Identifiers: CVE-2019-10912, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, VIGILANCE-VUL-29069.

Description of the vulnerability

An attacker can bypass access restrictions via destructors of Symfony, in order to delete or alter data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2019-10911

Symfony, Drupal: privilege escalation via the "remember me" cookie

Synthesis of the vulnerability

An attacker can bypass restrictions via the "remember me" cookie of Symfony or Drupal, in order to escalate his privileges.
Impacted products: Debian, Drupal Core, Fedora, IBM API Connect, Symfony, Synology DSM.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: internet client.
Creation date: 18/04/2019.
Identifiers: CERTFR-2019-AVI-180, CVE-2019-10911, DLA-1778-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, Synology-SA-19:19, VIGILANCE-VUL-29065.

Description of the vulnerability

An attacker can bypass restrictions via the "remember me" cookie of Symfony or Drupal, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2019-10910

Symfony, Drupal: code execution via service IDs

Synthesis of the vulnerability

An attacker can use a vulnerability via service IDs of Symfony or Drupal, in order to run code.
Impacted products: Debian, Drupal Core, Fedora, IBM API Connect, Symfony, Synology DSM.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 18/04/2019.
Identifiers: CERTFR-2019-AVI-180, CVE-2019-10910, DLA-1778-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, Synology-SA-19:19, VIGILANCE-VUL-29064.

Description of the vulnerability

An attacker can use a vulnerability via service IDs of Symfony or Drupal, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2019-10913

Symfony: Cross Site Request Forgery via X-Http-Method-Override

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery via X-Http-Method-Override of Symfony, in order to force the victim to perform operations.
Impacted products: Debian, Fedora, Symfony.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 18/04/2019.
Identifiers: CVE-2019-10913, DLA-1778-1, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, VIGILANCE-VUL-29062.

Description of the vulnerability

An attacker can trigger a Cross Site Request Forgery via X-Http-Method-Override of Symfony, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-19790

Symfony: open redirect via Backslashes

Synthesis of the vulnerability

An attacker can deceive the user via Backslashes of Symfony, in order to redirect him to a malicious site.
Impacted products: Debian, eZ Platform, eZ Publish, Fedora, Symfony.
Severity: 1/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Creation date: 06/12/2018.
Identifiers: CVE-2018-19790, DLA-1707-1, DSA-4441-1, EZSA-2018-010, FEDORA-2018-66547a8c14, FEDORA-2018-6edf04d9d6, FEDORA-2018-84a1f77d89, FEDORA-2018-8c06b6defd, FEDORA-2018-8d3a9bdff1, FEDORA-2018-b38a4dd0c7, VIGILANCE-VUL-27979.

Description of the vulnerability

An attacker can deceive the user via Backslashes of Symfony, in order to redirect him to a malicious site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-19789

Symfony: information disclosure via File Uploads Form Types

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via File Uploads Form Types of Symfony, in order to obtain sensitive information.
Impacted products: Debian, eZ Platform, eZ Publish, Fedora, Symfony.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 06/12/2018.
Identifiers: CVE-2018-19789, DLA-1707-1, DSA-4441-1, EZSA-2018-010, FEDORA-2018-66547a8c14, FEDORA-2018-6edf04d9d6, FEDORA-2018-84a1f77d89, FEDORA-2018-8c06b6defd, FEDORA-2018-8d3a9bdff1, FEDORA-2018-b38a4dd0c7, VIGILANCE-VUL-27978.

Description of the vulnerability

An attacker can bypass access restrictions to data via File Uploads Form Types of Symfony, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2018-14774

Symfony: information disclosure via HttpCache X-Forwarded-Host Host Header Injection

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via HttpCache X-Forwarded-Host Host Header Injection of Symfony, in order to obtain sensitive information.
Impacted products: Symfony.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 02/08/2018.
Identifiers: CVE-2018-14774, VIGILANCE-VUL-26885.

Description of the vulnerability

An attacker can bypass access restrictions to data via HttpCache X-Forwarded-Host Host Header Injection of Symfony, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-14773

Symfony: information disclosure via X-Original-URL / X-Rewrite-URL

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via X-Original-URL / X-Rewrite-URL of Symfony, in order to obtain sensitive information.
Impacted products: Debian, Drupal Core, Fedora, Symfony.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 02/08/2018.
Identifiers: CERTFR-2018-AVI-370, CVE-2018-14773, DLA-1707-1, DRUPAL-SA-CORE-2018-005, DSA-4441-1, FEDORA-2018-4deae442f2, FEDORA-2018-6f3ceeb7cb, FEDORA-2018-732f45d43e, FEDORA-2018-7f43cbdb69, FEDORA-2018-9b54497b6e, FEDORA-2018-9c38d1dc1d, VIGILANCE-VUL-26884.

Description of the vulnerability

An attacker can bypass access restrictions to data via X-Original-URL / X-Rewrite-URL of Symfony, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2018-12040

Symfony: Cross Site Scripting via Profiler

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Profiler of Symfony, in order to run JavaScript code in the context of the web site.
Impacted products: Symfony.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 11/06/2018.
Identifiers: CVE-2018-12040, VIGILANCE-VUL-26370.

Description of the vulnerability

The Symfony product offers a web service.

However, it does not filter received data via Profiler before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Profiler of Symfony, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Symfony: