CVE-2013-1348 — Symphony Vulnerable to PHP Code Injection via YAML Parsing

Description

The `Yaml::parse` function in Symfony 2.0.x before 2.0.22 remote attackers to execute arbitrary PHP code via a PHP file, a different vulnerability than CVE-2013-1397.

How to fix CVE-2013-1348

To remediate CVE-2013-1348, upgrade the affected package to a fixed version below.

Packagist/symfony/symfony—upgrade to 2.0.22 or later
Packagist/symfony/yaml—upgrade to 2.0.22 or later

Is CVE-2013-1348 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 2.0.0, < 2.0.22
>= 2.0.0, < 2.0.22

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-1348
PATCHgithub.com/symfony/symfony
WEBexchange.xforce.ibmcloud.com/vulnerabilities/81550
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2013-1348.yaml