CVE-2019-10913
Invalid HTTP method overrides allow possible XSS or other attacks in Symfony
9.8
CRITICAL
CVSS 3.1
EPSS 0.26%
Description
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.
How to fix CVE-2019-10913
To remediate CVE-2019-10913, upgrade the affected package to a fixed version below.
- —upgrade to 3.4.22+dfsg-2 or later
- —upgrade to 2.7.51 or later
- —upgrade to 2.7.51 or later
Is CVE-2019-10913 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 3.4.22+dfsg-2
- >= 2.7.0, < 2.7.51
- >= 2.7.0, < 2.7.51
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10913
- ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-10913
- WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-10913.yaml
- WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10913.yaml