CVE-2014-4931

Name of the Vulnerable Software and Affected Versions Symfony FrameworkBundle (affected versions not specified)

Description A code injection issue was found in the way Symfony implements translation caching in FrameworkBundle. The issue arises when using the Symfony translation system and not sanitizing locales coming from a URL. An attacker can submit a non-valid locale value containing PHP code that will be executed by Symfony, as the locale value is dumped into a PHP file generated in the cache without being sanitized first.

Recommendations For Symfony FrameworkBundle, ensure that locales coming from URLs are properly sanitized to prevent code injection. As a temporary workaround, consider validating and filtering all locale values passed through routes with a locale argument to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.