Description

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

Remediation

References

CVE-2019-10910

Related Vulnerabilities

Jboss EAP Improper Input Validation Vulnerability (CVE-2019-12400)

PHP Improper Input Validation Vulnerability (CVE-2011-0752)

XWiki Improper Authentication Vulnerability (CVE-2022-36093)

phpList Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2017-20032)

WordPress Plugin AddToAny Share Buttons Host Header Injection (1.7.14)

Severity

Critical

Classification

CVE-2019-10910 CWE-138 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities