CVE-2015-2308
Symfony Vulnerable to PHP Eval Injection
EPSS 0.54%
Description
Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.
How to fix CVE-2015-2308
To remediate CVE-2015-2308, upgrade the affected package to a fixed version below.
- Debian/symfony—upgrade to 2.3.21+dfsg-4 or later
- Packagist/symfony/http-kernel—upgrade to 2.3.27 or later
- —upgrade to 2.3.27 or later
Is CVE-2015-2308 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.3.21+dfsg-4
- >= 2.0.0, < 2.3.27
- >= 2.0.0, < 2.3.27