Drupal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-10909)

Description

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

Remediation

References

CVE-2019-10909

Related Vulnerabilities

SharePoint Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2020-0932)

ownCloud CVE-2017-9339 Vulnerability (CVE-2017-9339)

WordPress Plugin Ultimate Gift Cards For WooCommerce Cross-Site Request Forgery (2.1.1)

WordPress Plugin EZ SQL Reports Shortcode Widget and DB Backup Multiple Vulnerabilities (4.11.33)

WordPress Plugin WP Statistics Multiple Unspecified Vulnerabilities (9.6.5)

Severity

Medium

Classification

CVE-2019-10909 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N