7.5
CVE-2019-18888
- EPSS 2.74%
- Published 21.11.2019 23:15:13
- Last modified 21.11.2024 04:33:47
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).
Data is provided by the National Vulnerability Database (NVD)
Sensiolabs ≫ Symfony Version >= 2.8.0 <= 2.8.50
Sensiolabs ≫ Symfony Version >= 3.4.0 <= 3.4.34
Sensiolabs ≫ Symfony Version >= 4.2.0 <= 4.2.11
Sensiolabs ≫ Symfony Version >= 4.3.0 <= 4.3.7
Fedoraproject ≫ Fedora Version30
Fedoraproject ≫ Fedora Version31
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.74% | 0.848 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.