CVE-2015-4050

Name of the Vulnerable Software and Affected Versions Symfony versions 2.3.19 through 2.3.28 Symfony versions 2.4.9 through 2.4.10 Symfony versions 2.5.4 through 2.5.11 Symfony versions 2.6.0 through 2.6.7

Description The issue allows remote attackers to bypass URL signing and security rules by including no hash or an invalid hash in a request to the / fragment endpoint when ESI or SSI support is enabled. This occurs because the FragmentListener in the HttpKernel component does not check if the controller attribute is set.

Recommendations For Symfony versions 2.3.19 through 2.3.28, update to version 2.3.29 to resolve the issue. For Symfony versions 2.4.9 through 2.4.10, there is no fix available as this version is not maintained anymore. For Symfony versions 2.5.4 through 2.5.11, update to version 2.5.12 to resolve the issue. For Symfony versions 2.6.0 through 2.6.7, update to version 2.6.8 to resolve the issue.