ASA-2019-00228 – Symfony: Escape validation messages in the PHP templating engine


Allele Security Alert

ASA-2019-00228

Identifier(s)

ASA-2019-00228, CVE-2019-10909

Title

Escape validation messages in the PHP templating engine

Vendor(s)

Sensio Labs

Product(s)

Symfony

Affected version(s)

Symfony 2.7.0 to 2.7.50
Symfony 2.8.0 to 2.8.49
Symfony 3.4.0 to 3.4.25
Symfony 4.1.0 to 4.1.11
Symfony 4.2.0 to 4.2.6

Fixed version(s)

Symfony 2.7.51
Symfony 2.8.50
Symfony 3.4.26
Symfony 4.1.12
Symfony 4.2.7

Proof of concept

Unknown

Description

Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in a Cross-Site Scripting (XSS).

Technical details

Unknown

Credits

Christophe Coevoet (stof)

Reference(s)

CVE-2019-10909: Escape validation messages in the PHP templating engine
https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine

Drupal core – Moderately critical – Multiple Vulnerabilities – SA-CORE-2019-005
https://www.drupal.org/sa-core-2019-005

CVE-2019-10909
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10909

CVE-2019-10909
https://nvd.nist.gov/vuln/detail/CVE-2019-10909

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: April 27, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.