Drupal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-10909)

Description

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

Remediation

References

CVE-2019-10909

Related Vulnerabilities

WordPress Plugin WP eCommerce 'cs1' Parameter SQL Injection (3.8.6)

WordPress Plugin MailPoet Newsletters (Previous) SQL Injection (2.2)

WordPress Plugin Easy Google Maps Cross-Site Scripting (1.9.33)

WordPress Plugin YITH WooCommerce Multi Vendor Cross-Site Scripting (3.8.0)

WordPress Plugin Font Uploader 'font-upload.php' Arbitrary File Upload (1.2.4)

Severity

Medium

Classification

CVE-2019-10909 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N