CVE-2024-28859

Name of the Vulnerable Software and Affected Versions Symfony1 versions 1.3.0 through 1.5.17

Description This issue is related to a gadget chain in Symfony1 due to a vulnerable Swift Mailer dependency. The vulnerability allows an attacker to achieve remote code execution if a developer unserializes user input in their project. It presents no direct threat but can enable remote code execution if a developer deserializes untrusted data. Symfony1 depends on Swift Mailer, which is bundled by default in the vendor directory since version 1.3.0. Swift Mailer classes implement destruct() methods, which can be exploited to access array or object properties not intended by the developer. This can lead to the execution of any PHP command, resulting in remote code execution. The issue has been addressed in version 1.5.18.

Recommendations For Symfony1 versions 1.3.0 through 1.5.17, update to version 1.5.18 or higher to resolve the issue. If using composer, ensure that the Swift Mailer version is updated to 6.2.5 or higher. Alternatively, if Symfony 1.5 needs Swift 5.x, consider forking Swift Mailer and cherry-picking the commit that fixes the vulnerability. As a temporary workaround, consider avoiding the deserialization of user input in projects until a patch is applied.