CVE-2019-10909
symfony - security update
5.4
MEDIUM
CVSS 3.1
EPSS 0.36%
Description
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
How to fix CVE-2019-10909
To remediate CVE-2019-10909, upgrade the affected package to a fixed version below.
- Debian/symfony—upgrade to 3.4.22+dfsg-2 or later
- —upgrade to 2.3.21+dfsg-4+deb8u5 or later
- —upgrade to 8.5.15 or later
- —upgrade to 8.5.15 or later
- —upgrade to 2.7.51 or later
- —upgrade to 2.7.51 or later
Is CVE-2019-10909 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 3.4.22+dfsg-2
- from 0, < 2.3.21+dfsg-4+deb8u5
- >= 8.0.0, < 8.5.15
- >= 8.0.0, < 8.5.15
- >= 2.7.0, < 2.7.51
- >= 2.7.0, < 2.7.51
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |