The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of jQuery, Symfony: Cross Site Scripting via templates

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Severity of this weakness: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 18/04/2019.
Références of this bulletin: bulletinoct2019, CERTFR-2019-AVI-180, cpuoct2019, CVE-2019-10909, CVE-2019-11358, DLA-1777-1, DLA-1777-2, DLA-1778-1, DLA-1797-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4434-1, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, openSUSE-SU-2019:1839-1, openSUSE-SU-2019:1872-1, RHSA-2019:1456-01, Synology-SA-19:19, TYPO3-CORE-SA-2019-009, TYPO3-CORE-SA-2019-010, TYPO3-CORE-SA-2019-011, TYPO3-CORE-SA-2019-012, TYPO3-CORE-SA-2019-013, TYPO3-PSA-2019-004, TYPO3-PSA-2019-005, TYPO3-PSA-2019-006, VIGILANCE-VUL-29070.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

This security threat impacts software or systems such as Debian, Drupal Core, Fedora, Grafana, IBM API Connect, Joomla Extensions ~ not comprehensive, openSUSE Leap, Solaris, Oracle Virtual Directory, WebLogic, Red Hat SSO, SLES, Symfony, Synology DSM, TYPO3 Core.

Our Vigil@nce team determined that the severity of this computer weakness note is medium.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this computer threat alert.

Solutions for this threat

Symfony: version 4.2.7.
The version 4.2.7 is fixed:
  https://symfony.com/download

Symfony: version 4.1.12.
The version 4.1.12 is fixed:
  https://symfony.com/download

Symfony: version 3.4.26.
The version 3.4.26 is fixed:
  https://symfony.com/download

Symfony: version 2.8.50.
The version 2.8.50 is fixed:
  https://symfony.com/download

Debian 8: new drupal7 packages.
New packages are available:
  Debian 8: drupal7 7.32-1+deb8u17

Debian 8: new jquery packages.
New packages are available:
  Debian 8: jquery 1.7.2+dfsg-3.2+deb8u7

Debian 8: new symfony packages.
New packages are available:
  Debian 8: symfony 2.3.21+dfsg-4+deb8u5

Debian 9: new drupal7 packages.
New packages are available:
  Debian 9: drupal7 7.52-2+deb9u8

Debian 9: new symfony packages.
New packages are available:
  Debian 9: symfony 2.8.7+dfsg-1.3+deb9u2

Drupal Core: version 8.5.15.
The version 8.5.15 is fixed:
  https://www.drupal.org/project/drupal

Drupal Core: version 8.6.15.
The version 8.6.15 is fixed:
  https://www.drupal.org/project/drupal

Fedora: new php-symfony packages.
New packages are available:
  Fedora 28: php-symfony 2.8.51-1.fc28, php-symfony3 3.4.26-1.fc28
  Fedora 29: php-symfony 2.8.51-1.fc29, php-symfony3 3.4.26-1.fc29, php-symfony4 4.1.12-1.fc29

Grafana: version 6.1.6.
The version 6.1.6 is fixed:
  https://grafana.com/grafana/download

IBM API Connect: patch for Drupal.
A patch is available:
   IBM API Connect V5.0.0.0-5.0.8.6: http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.5&platform=All&function=fixId&fixids=5.0.8.6-iFix-APIConnect-Portal-Ubuntu16-20190423-2319.ova%3A67094276418854,5.0.8.6-iFix-APIConnect-Portal-Ubuntu16-20190423-2319%3A67094276418854&includeSupersedes=0&source=fc

IBM API Connect: version 2018.4.1.5.
The version 2018.4.1.5 is fixed:
  http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.4&platform=All&function=all&source=fc

Joomla Community Builder: version 2.4.2.
The version 2.4.2 is fixed.

openSUSE Leap 15.1: new python-Django packages.
New packages are available:
  openSUSE Leap 15.1: python3-Django 2.2.4-lp151.2.3.1

Oracle Fusion Middleware: CPU of October 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2568292.1

Oracle Solaris: patch for third party software of October 2019 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Red Hat Single Sign-On: version 7.3.2.
The version 7.3.2 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.3

SUSE LE 15 SP1: new python-Django packages.
New packages are available:
  SUSE LE 15 SP1: python3-Django 2.2.4-bp151.3.3.1

TYPO3 Core: version 8.7.25.
The version 8.7.25 is fixed:
  https://get.typo3.org/version/8

TYPO3 Core: version 9.5.6.
The version 9.5.6 is fixed:
  https://get.typo3.org/version/9

Wind River Linux: solution (21/05/2019).
The solution is indicated in information sources.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides application vulnerability bulletins. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.