In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDrupal
APPDrupal8.5.0 – 8.5.15 (bez)8.6.0 – 8.6.15 (bez)Sensiolabs Symfony
APPSensiolabs3.4.0 – 3.4.26 (bez)2.7.0 – 2.7.51 (bez)4.2.0 – 4.2.7 (bez)4.1.0 – 4.1.12 (bez)2.8.0 – 2.8.50 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCESQLi
CWE
References
Related vulnerabilities
CVE-2018-7602CRITICAL9.8⚠ KEVten sam produkt
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentiall...
CVE-2018-7600CRITICAL9.8⚠ KEVten sam produkt
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to ex...
CVE-2024-55637CRITICAL9.8PL ✓ten sam produkt
Deserializacja niezaufanych danych w Drupal Core umożliwia RCE
CVE-2024-55636CRITICAL9.8PL ✓ten sam produkt
Deserialization podatności w Drupal Core umożliwiająca RCE (Object Injection)
CVE-2024-55638CRITICAL9.8PL ✓ten sam produkt
Deserialization gadget chain w Drupal Core umożliwiający RCE