Description

Your Symfony web application is using a weak/predictable application secret (APP_SECRET).

An attacker can use this secret to potentially execute arbitrary PHP code using the ESI (Edge-Side Includes) functionality that is accessible at /_fragment.

Remediation

It's recommended to change the Symfony's application secret (APP_SECRET) to a long random string.

References

Secret Fragments

Acunetix

Related Vulnerabilities

Apache OFBiz RCE (CVE-2024-32113)

Telerik Web UI Unrestricted File Upload (CVE-2014-2217)

Apache Tapestry Unauthenticated RCE (CVE-2019-0195, CVE-2021-27850)

WordPress Plugin Video Embed & Thumbnail Generator 'kg_callffmpeg.php' Multiple Remote Code Execution Vulnerabilities (1.1)

WordPress Plugin WP Super Cache Remote Code Execution (1.7.1)

Severity

High

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Weak Credentials