Multiple vulnerabilities in SensioLabs Symfony
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2013-4752 CVE-2013-4751 |
| CWE-ID | CWE-79 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Symfony Web applications / CMS |
| Vendor | SensioLabs |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU30475
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-4752
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsSymfony: 2.3.0 - 2.3.2
External linkshttp://lists.fedoraproject.org/pipermail/package-announce/2013-August/114450.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114461.html
http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released
http://www.securityfocus.com/bid/61715
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4752
http://exchange.xforce.ibmcloud.com/vulnerabilities/86365
http://exchange.xforce.ibmcloud.com/vulnerabilities/86366
http://exchange.xforce.ibmcloud.com/vulnerabilities/86367
http://exchange.xforce.ibmcloud.com/vulnerabilities/86368
http://exchange.xforce.ibmcloud.com/vulnerabilities/86369
http://exchange.xforce.ibmcloud.com/vulnerabilities/86370
http://exchange.xforce.ibmcloud.com/vulnerabilities/86371
http://exchange.xforce.ibmcloud.com/vulnerabilities/86372
http://exchange.xforce.ibmcloud.com/vulnerabilities/86373
http://exchange.xforce.ibmcloud.com/vulnerabilities/86374
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU30718
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-4751
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
php-symfony2-Validator has loss of information during serialization
MitigationInstall update from vendor's website.
Vulnerable software versionsSymfony: 2.3.0 - 2.3.2
External linkshttp://lists.fedoraproject.org/pipermail/package-announce/2013-August/114380.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114436.html
http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released
http://www.securityfocus.com/bid/61709
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4751
http://exchange.xforce.ibmcloud.com/vulnerabilities/86364
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
