Drupal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-10909)

Description

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

Remediation

References

CVE-2019-10909

Related Vulnerabilities

WordPress Plugin DukaPress Directory Traversal (2.5.2)

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2022-23302)

Joomla CVE-2012-0819 Vulnerability (CVE-2012-0819)

Mailman Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2021-44227)

WordPress Plugin WP jPlayer Cross-Site Scripting (0.1)

Severity

Medium

Classification

CVE-2019-10909 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N