CVE-2019-10913

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 2.7.51 Symfony versions 2.8.x prior to 2.8.50 Symfony versions 3.x prior to 3.4.26 Symfony versions 4.x prior to 4.1.12 Symfony versions 4.2.x prior to 4.2.7

Description The issue is related to the symfony/http-foundation component, where HTTP methods provided as verbs or using the override header may be treated as trusted input without validation. This could lead to SQL injection or cross-site scripting (XSS) attacks. The vulnerability is also related to the lack of protection measures for SQL query structures, which could allow a remote attacker to execute arbitrary code through SQL injection.

Recommendations For Symfony versions prior to 2.7.51, update to version 2.7.51 or later. For Symfony versions 2.8.x prior to 2.8.50, update to version 2.8.50 or later. For Symfony versions 3.x prior to 3.4.26, update to version 3.4.26 or later. For Symfony versions 4.x prior to 4.1.12, update to version 4.1.12 or later. For Symfony versions 4.2.x prior to 4.2.7, update to version 4.2.7 or later. As a temporary workaround, consider disabling the setMethod function until a patch is available. Restrict access to the symfony/http-foundation component to minimize the risk of exploitation. Avoid using unvalidated HTTP methods in the override header until the issue is resolved.