An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
References
Link | Resource |
---|---|
https://github.com/symfony/symfony/releases/tag/v4.3.8 | Release Notes Third Party Advisory |
https://github.com/symfony/var-exporter/compare/d8bf442...57e00f3 | Patch Third Party Advisory |
https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter | Vendor Advisory |
https://symfony.com/blog/symfony-4-3-8-released | Release Notes Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2019-11-21 23:15
Updated : 2024-02-28 17:28
NVD link : CVE-2019-11325
Mitre link : CVE-2019-11325
CVE.ORG link : CVE-2019-11325
JSON object : View
Products Affected
sensiolabs
- symfony
CWE
CWE-116
Improper Encoding or Escaping of Output