PT-2020-18349 · Symfony · Symfony
Xavier Lacot
·
Published
2020-03-30
·
Updated
2024-03-06
·
CVE-2020-5255
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Symfony versions prior to 4.4.7
Symfony versions prior to 5.0.7
Description
When a
Response does not contain a Content-Type header, affected versions of Symfony can fallback to the format defined in the Accept header of the request, leading to a possible mismatch between the response's content and Content-Type header. When the response is cached, this can prevent the use of the website by other users.Recommendations
For Symfony versions prior to 4.4.7, update to version 4.4.7 or later.
For Symfony versions prior to 5.0.7, update to version 5.0.7 or later.
As a temporary workaround, consider disabling the use of the
Accept header to guess the Content-Type until a patch is available.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Symfony