Main Vulnerability Database Vulnerabilities #VU40709

#VU40709 Code Injection in Symfony - CVE-2015-2308

Published: June 24, 2015 / Updated: August 9, 2020

Vulnerability identifier: #VU40709

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2015-2308

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Symfony

Software vendor:
SensioLabs

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.

Remediation

Install update from vendor's website.

External links

http://jvn.jp/en/jp/JVN19578958/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000089
http://www.securityfocus.com/bid/75357
https://symfony.com/blog/cve-2015-2308-esi-code-injection