CVE-2017-5541

Name of the Vulnerable Software and Affected Versions Symphony CMS versions prior to 2.6.10

Description The issue allows remote attackers to rename arbitrary files by exploiting a directory traversal vulnerability. This is achieved by using a .. (dot dot) in the existing-folder and new-folder parameters within the template/usererror.missing extension.php file.

Recommendations For versions prior to 2.6.10, update to version 2.6.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the template/usererror.missing extension.php file until the update is applied. Avoid using the existing-folder and new-folder parameters in the affected file until the issue is resolved.