Improper Encoding or Escaping of Output

CVE-2019-11325

High

9.8/10

Summary

An issue was discovered in Symfony 4.2.x up to 4.2.11, 4.3.x before 4.3.8, 4.4.0-BETA1 and 5.0.0-BETA1. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-116 - Improper Encoding or Escaping of Output

The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References

Release Note
Advisory

Advisory Timeline

Published Nov 21, 2019

Improper Encoding or Escaping of Output

CVE-2019-11325

Summary

CWE-116 - Improper Encoding or Escaping of Output

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS