Description

Your Symfony web application is using a weak/predictable application secret (APP_SECRET).

An attacker can use this secret to potentially execute arbitrary PHP code using the ESI (Edge-Side Includes) functionality that is accessible at /_fragment.

Remediation

It's recommended to change the Symfony's application secret (APP_SECRET) to a long random string.

References

Secret Fragments

Acunetix

Related Vulnerabilities

Missing Authentication Check in SAP Solution Manager

WordPress Plugin Bricks Remote Code Execution (1.9.6)

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-35152)

Drupal Core 7.x Remote Code Execution (7.0 - 7.73)

WordPress Plugin WP-Filebase Download Manager Remote Code Execution (0.3.0.03)

Severity

High

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Weak Credentials