Vulnerability in Symfony HTTP Methods Validation
CVE-2019-10913

9.8CRITICAL

Key Information:

Vendor: Sensiolabs
Status: Symfony
Vendor: CVE Published:; 16 May 2019

Summary

The Symfony framework versions prior to 2.7.51, 2.8.50, 3.4.26, 4.1.12, and 4.2.7 are susceptible to an issue where HTTP methods supplied as verbs or through the override header are inadequately validated. This lack of validation exposes applications to potential SQL injection and cross-site scripting (XSS) vulnerabilities, allowing attackers to exploit these weaknesses to inject malicious code or manipulate the backend database.

References

https://symfony.com/blog/cve-2019-10913-reject-invalid-ht...

x_refsource_CONFIRM

https://github.com/symfony/symfony/commit/944e60f083c3bff...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2019
Vulnerability Reserved
Apr 7, 2019