CVE-2019-10909
MEDIUM5.4EPSS 0.36%symfony - security update
Published: 11/12/2019Modified: 5/27/2026
Description
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
Affected packages (6)
- Debian/symfonyfrom 0, < 3.4.22+dfsg-2
- Debian/symfonyfrom 0, < 2.3.21+dfsg-4+deb8u5
- Packagist/drupal/core>= 8.0.0, < 8.5.15
- Packagist/drupal/drupal>= 8.0.0, < 8.5.15
- Packagist/symfony/framework-bundle>= 2.7.0, < 2.7.51
- Packagist/symfony/symfony>= 2.7.0, < 2.7.51
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
References (11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10909
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-10909
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2019-10909.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2019-10909.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2019-10909.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10909.yaml
- WEBhttps://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2
- WEBhttps://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine
- WEBhttps://symfony.com/cve-2019-10909
- WEBhttps://www.drupal.org/sa-core-2019-005
- WEBhttps://www.synology.com/security/advisory/Synology_SA_19_19