Описание
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| symfony | fixed | 3.4.22+dfsg-2 | package |
Примечания
https://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides
EPSS
Связанные уязвимости
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.
Invalid HTTP method overrides allow possible XSS or other attacks in Symfony
Уязвимость функции «setMethod» (symfony/http-foundation) программной платформы для разработки и управления веб-приложениями Symfony, связанная с отсутствием мер по защите структур SQL запросов, позволяющая нарушителю выполнить произвольный код через SQL-инъекцию
EPSS