Allele Security Alert
ASA-2019-00228
Identifier(s)
ASA-2019-00228, CVE-2019-10909
Title
Escape validation messages in the PHP templating engine
Vendor(s)
Sensio Labs
Product(s)
Symfony
Affected version(s)
Symfony 2.7.0 to 2.7.50
Symfony 2.8.0 to 2.8.49
Symfony 3.4.0 to 3.4.25
Symfony 4.1.0 to 4.1.11
Symfony 4.2.0 to 4.2.6
Fixed version(s)
Symfony 2.7.51
Symfony 2.8.50
Symfony 3.4.26
Symfony 4.1.12
Symfony 4.2.7
Proof of concept
Unknown
Description
Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in a Cross-Site Scripting (XSS).
Technical details
Unknown
Credits
Christophe Coevoet (stof)
Reference(s)
CVE-2019-10909: Escape validation messages in the PHP templating engine
https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine
Drupal core – Moderately critical – Multiple Vulnerabilities – SA-CORE-2019-005
https://www.drupal.org/sa-core-2019-005
CVE-2019-10909
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10909
CVE-2019-10909
https://nvd.nist.gov/vuln/detail/CVE-2019-10909
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: April 27, 2019