Description

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

Remediation

References

CVE-2019-10910

Related Vulnerabilities

WordPress Plugin Thrive Architect Security Bypass (2.6.7.3)

WordPress 5.8.x Multiple Prototype Pollution Vulnerabilities (5.8 - 5.8.3)

WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark Security Bypass (2.8.7)

Moodle Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2024-25983)

WordPress Plugin Photo Gallery by 10Web-Mobile-Friendly Image Gallery Unspecified Vulnerability (1.2.100)

Severity

Critical

Classification

CVE-2019-10910 CWE-138 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities