Description

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

Remediation

References

CVE-2019-10910

Related Vulnerabilities

Drupal Credentials Management Errors Vulnerability (CVE-2009-2374)

WordPress Plugin GD Star Rating 'votes' Parameter SQL Injection (1.9.8)

Play Framework Improper Input Validation Vulnerability (CVE-2015-2156)

ownCloud Improper Authentication Vulnerability (CVE-2014-2047)

WordPress Plugin Facebook Promotion Generator for WordPress 'fbActivate.php' SQL Injection (1.3.3)

Severity

Critical

Classification

CVE-2019-10910 CWE-138 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities