Vulnerability Description
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sensiolabs | Symfony | >= 2.7.0, < 2.7.51 |
| Drupal | Drupal | >= 8.5.0, < 8.5.15 |
Related Weaknesses (CWE)
References
- https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84PatchThird Party Advisory
- https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-teVendor Advisory
- https://www.drupal.org/sa-core-2019-005Third Party Advisory
- https://www.synology.com/security/advisory/Synology_SA_19_19Third Party Advisory
- https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84PatchThird Party Advisory
- https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-teVendor Advisory
- https://www.drupal.org/sa-core-2019-005Third Party Advisory
- https://www.synology.com/security/advisory/Synology_SA_19_19Third Party Advisory
FAQ
What is CVE-2019-10909?
CVE-2019-10909 is a vulnerability with a CVSS score of 5.4 (MEDIUM). In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. Thi...
How severe is CVE-2019-10909?
CVE-2019-10909 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-10909?
Check the references section above for vendor advisories and patch information. Affected products include: Sensiolabs Symfony, Drupal Drupal.