CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2019-10910

CVSS 9.8v3.1pub. 2019-05-16upd. 2024-11-21

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Drupal

    APP
    Drupal
    8.5.0 – 8.5.15 (bez)8.6.0 – 8.6.15 (bez)
  • Sensiolabs Symfony

    APP
    Sensiolabs
    3.4.0 – 3.4.26 (bez)2.7.0 – 2.7.51 (bez)4.2.0 – 4.2.7 (bez)4.1.0 – 4.1.12 (bez)2.8.0 – 2.8.50 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCESQLi
CWE
References

Related vulnerabilities

CVE-2018-7602CRITICAL9.8⚠ KEVten sam produkt

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentiall...

CVE-2018-7600CRITICAL9.8⚠ KEVten sam produkt

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to ex...

CVE-2024-55637CRITICAL9.8PL ✓ten sam produkt

Deserializacja niezaufanych danych w Drupal Core umożliwia RCE

CVE-2024-55636CRITICAL9.8PL ✓ten sam produkt

Deserialization podatności w Drupal Core umożliwiająca RCE (Object Injection)

CVE-2024-55638CRITICAL9.8PL ✓ten sam produkt

Deserialization gadget chain w Drupal Core umożliwiający RCE