CVE-2019-11325

An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:20

Type Values Removed Values Added
References () https://github.com/symfony/symfony/releases/tag/v4.3.8 - Release Notes, Third Party Advisory () https://github.com/symfony/symfony/releases/tag/v4.3.8 - Release Notes, Third Party Advisory
References () https://github.com/symfony/var-exporter/compare/d8bf442...57e00f3 - Patch, Third Party Advisory () https://github.com/symfony/var-exporter/compare/d8bf442...57e00f3 - Patch, Third Party Advisory
References () https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter - Vendor Advisory () https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter - Vendor Advisory
References () https://symfony.com/blog/symfony-4-3-8-released - Release Notes, Vendor Advisory () https://symfony.com/blog/symfony-4-3-8-released - Release Notes, Vendor Advisory

Information

Published : 2019-11-21 23:15

Updated : 2024-11-21 04:20


NVD link : CVE-2019-11325

Mitre link : CVE-2019-11325

CVE.ORG link : CVE-2019-11325


JSON object : View

Products Affected

sensiolabs

  • symfony
CWE
CWE-116

Improper Encoding or Escaping of Output