Homepage
About Snyk

Arbitrary Code Injection Affecting symfony/http-kernel package, versions >=2.3.0, <2.3.27 >=2.6.0, <2.6.6 >=2.1.0, <2.2.0 >=2.4.0, <2.5.0 >=2.5.0, <2.5.11 >=2.2.0, <2.3.0 >=2.0.0, <2.1.0

0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required

    Threat Intelligence

    EPSS 0.53% (77th percentile)
Expand this section
NVD
6.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-SYMFONYHTTPKERNEL-70182
  • published 1 Apr 2015
  • disclosed 1 Apr 2015
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 1 Apr 2015

CVE-2015-2308 Open this link in a new tab
CWE-94 Open this link in a new tab

How to fix?

Upgrade symfony/http-kernel to version 2.3.27, 2.6.6, 2.2.0, 2.5.0, 2.5.11, 2.3.0, 2.1.0 or higher.

Overview

Affected versions of symfony/http-kernel are vulnerable to Arbitrary Code Injection.

It allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.