Main Vulnerability Database Vulnerabilities #VU40709

Code Injection in Symfony - CVE-2015-2308

Published: June 24, 2015 / Updated: August 9, 2020

Vulnerability identifier: #VU40709

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2015-2308

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: SensioLabs

Affected software:
Symfony

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.

How to mitigate CVE-2015-2308

Install update from vendor's website.

Sources

http://jvn.jp/en/jp/JVN19578958/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000089
http://www.securityfocus.com/bid/75357
https://symfony.com/blog/cve-2015-2308-esi-code-injection

Code Injection in Symfony - CVE-2015-2308

Detailed vulnerability description

How to mitigate CVE-2015-2308

Sources

Please verify you're human