Mschop

**Name of the Vulnerable Software and Affected Versions** Symfony versions prior to 2.7.51 Symfony versions 2.8.x prior to 2.8.50 Symfony versions 3.x prior to 3.4.26 Symfony versions 4.x prior to 4.1.12 Symfony versions 4.2.x prior to 4.2.7 **Description** The issue is related to the symfony/http-foundation component, where HTTP methods provided as verbs or using the override header may be treated as trusted input without validation. This could lead to SQL injection or cross-site scripting (XSS) attacks. The vulnerability is also related to the lack of protection measures for SQL query structures, which could allow a remote attacker to execute arbitrary code through SQL injection. **Recommendations** For Symfony versions prior to 2.7.51, update to version 2.7.51 or later. For Symfony versions 2.8.x prior to 2.8.50, update to version 2.8.50 or later. For Symfony versions 3.x prior to 3.4.26, update to version 3.4.26 or later. For Symfony versions 4.x prior to 4.1.12, update to version 4.1.12 or later. For Symfony versions 4.2.x prior to 4.2.7, update to version 4.2.7 or later. As a temporary workaround, consider disabling the `setMethod` function until a patch is available. Restrict access to the symfony/http-foundation component to minimize the risk of exploitation. Avoid using unvalidated HTTP methods in the override header until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Engelsystem versions prior to commit hash 2e28336 **Description** The issue allows for Cross-Site Request Forgery (CSRF) attacks. **Recommendations** For versions prior to commit hash 2e28336, update to a version that includes the fix, which is available after commit hash 2e28336.

**Name of the Vulnerable Software and Affected Versions** LiteCart versions prior to 2.1.2 **Description** The issue allows remote attackers to cause a denial of service, specifically memory consumption, by sending requests for URIs that do not exist. This is because the `not found.log` file in the `public html/logs` directory grows without bound as it logs each non-existent URI request, and this log file is loaded into memory for each request. **Recommendations** For versions prior to 2.1.2, update to version 2.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `not found.log` file or implementing a log rotation mechanism to prevent the file from growing without bound.