File Exposure Vulnerability in Symfony Framework across Multiple Versions
CVE-2017-16790

6.5MEDIUM

Key Information:

Vendor: Sensiolabs
Status: Symfony
Vendor: CVE Published:; 6 August 2018

Summary

A vulnerability in Symfony's Form component allows attackers to exploit the handling of submitted data. Due to improper separation of POST data and uploaded files, a crafted HTTP request may result in the transmission of a 'FileType' value interpreted as a server-side local file path. If unchecked by the application, this could lead to the disclosure of sensitive file contents on the server, effectively compromising the security of the affected system.

References

https://symfony.com/blog/cve-2017-16790-ensure-that-submi...

x_refsource_CONFIRM

https://www.debian.org/security/2018/dsa-4262

vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 6, 2018
Vulnerability Reserved
Nov 10, 2017