David Gorges

**Name of the Vulnerable Software and Affected Versions** Symfony versions 2.7.x through 2.7.49 Symfony versions 2.8.x through 2.8.48 Symfony versions 3.x through 3.4.19 Symfony versions 4.0.x through 4.0.14 Symfony versions 4.1.x through 4.1.8 Symfony versions 4.2.x through 4.2.0 **Description** An issue in Symfony allows for the disclosure of the path of an uploaded file when using the scalar type hint `string` in a setter method of a class that's the `data class` of a form, and a file upload is submitted instead of a normal text input. This could potentially escalate to a Remote Code Execution issue when combined with a local file inclusion issue in certain circumstances. The vulnerability is related to unrestricted file uploads of dangerous types, which can be exploited by a remote attacker to execute arbitrary code or disclose protected information. **Recommendations** For Symfony versions 2.7.x through 2.7.49, update to version 2.7.50 or later. For Symfony versions 2.8.x through 2.8.48, update to version 2.8.49 or later. For Symfony versions 3.x through 3.4.19, update to version 3.4.20 or later. For Symfony versions 4.0.x through 4.0.14, update to version 4.0.15 or later. For Symfony versions 4.1.x through 4.1.8, update to version 4.1.9 or later. For Symfony versions 4.2.x through 4.2.0, update to version 4.2.1 or later.