Improper Encoding or Escaping of Output
CVE-2019-11325
Summary
An issue was discovered in Symfony 4.2.x up to 4.2.11, 4.3.x before 4.3.8, 4.4.0-BETA1 and 5.0.0-BETA1. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-116 - Improper Encoding or Escaping of Output
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
References
Advisory Timeline
- Published