CVE-2018-19789

Name of the Vulnerable Software and Affected Versions Symfony versions 2.7.x through 2.7.49 Symfony versions 2.8.x through 2.8.48 Symfony versions 3.x through 3.4.19 Symfony versions 4.0.x through 4.0.14 Symfony versions 4.1.x through 4.1.8 Symfony versions 4.2.x through 4.2.0

Description An issue in Symfony allows for the disclosure of the path of an uploaded file when using the scalar type hint string in a setter method of a class that's the data class of a form, and a file upload is submitted instead of a normal text input. This could potentially escalate to a Remote Code Execution issue when combined with a local file inclusion issue in certain circumstances. The vulnerability is related to unrestricted file uploads of dangerous types, which can be exploited by a remote attacker to execute arbitrary code or disclose protected information.

Recommendations For Symfony versions 2.7.x through 2.7.49, update to version 2.7.50 or later. For Symfony versions 2.8.x through 2.8.48, update to version 2.8.49 or later. For Symfony versions 3.x through 3.4.19, update to version 3.4.20 or later. For Symfony versions 4.0.x through 4.0.14, update to version 4.0.15 or later. For Symfony versions 4.1.x through 4.1.8, update to version 4.1.9 or later. For Symfony versions 4.2.x through 4.2.0, update to version 4.2.1 or later.