Описание
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | end of standard support, was needed |
| cosmic | ignored | end of life |
| devel | not-affected | 3.4.22+dfsg-2 |
| disco | ignored | end of life |
| eoan | not-affected | 3.4.22+dfsg-2 |
| esm-apps/bionic | needed | |
| esm-apps/focal | not-affected | 3.4.22+dfsg-2 |
| esm-apps/jammy | not-affected | 3.4.22+dfsg-2 |
| esm-apps/noble | not-affected | 3.4.22+dfsg-2 |
| esm-apps/xenial | needed |
Показывать по
7.5 High
CVSS2
9.8 Critical
CVSS3
Связанные уязвимости
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x ...
Invalid HTTP method overrides allow possible XSS or other attacks in Symfony
Уязвимость функции «setMethod» (symfony/http-foundation) программной платформы для разработки и управления веб-приложениями Symfony, связанная с отсутствием мер по защите структур SQL запросов, позволяющая нарушителю выполнить произвольный код через SQL-инъекцию
7.5 High
CVSS2
9.8 Critical
CVSS3