7.5
CVE-2019-18888
- EPSS 2.74%
- Veröffentlicht 21.11.2019 23:15:13
- Zuletzt bearbeitet 21.11.2024 04:33:47
- Quelle cve@mitre.org
- Teams Watchlist Login
- Unerledigt Login
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Sensiolabs ≫ Symfony Version >= 2.8.0 <= 2.8.50
Sensiolabs ≫ Symfony Version >= 3.4.0 <= 3.4.34
Sensiolabs ≫ Symfony Version >= 4.2.0 <= 4.2.11
Sensiolabs ≫ Symfony Version >= 4.3.0 <= 4.3.7
Fedoraproject ≫ Fedora Version30
Fedoraproject ≫ Fedora Version31
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
Typ | Quelle | Score | Percentile |
---|---|---|---|
EPSS | FIRST.org | 2.74% | 0.848 |
Quelle | Base Score | Exploit Score | Impact Score | Vector String |
---|---|---|---|---|
nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.