CVE-2014-6072

Name of the Vulnerable Software and Affected Versions Symfony WebProfiler bundle versions 2.0.X through 2.5.X

Description The Symfony Web Profiler, a development tool, should not be enabled on production servers due to the sensitive information it provides about a Symfony project. If enabled in production, it must be properly secured. The import/export feature of the web profiler is exploitable, even when secured, as it is not protected against CSRF attacks and uses PHP serialized strings, making the application vulnerable to code injection.

Recommendations For Symfony 2.3, update to version 2.3.19 and use the profiler:import and profiler:export Symfony commands from the command line interface by adding the necessary code snippet to app/console. For Symfony 2.4 and 2.5, update to versions 2.4.9 and 2.5.4 respectively, and import the commands in your app/config.yml configuration file to use the profiler:import and profiler:export Symfony commands. For Symfony 2.0, 2.1, and 2.2, no fixes are provided as they are not maintained anymore. As a general recommendation, never enable the Symfony Web Profiler on production servers, and if it must be enabled, ensure it is properly secured.