Description

Your Symfony web application is using a weak/predictable application secret (APP_SECRET).

An attacker can use this secret to potentially execute arbitrary PHP code using the ESI (Edge-Side Includes) functionality that is accessible at /_fragment.

Remediation

It's recommended to change the Symfony's application secret (APP_SECRET) to a long random string.

References

Secret Fragments

Acunetix

Related Vulnerabilities

WordPress Plugin AccessAlly PHP Code Execution (3.3.1)

WordPress Plugin WP Maintenance Mode Remote Code Execution (2.0.6)

Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496/CVE-2023-49070)

WordPress Super Socialat backdoor plugin

Joomla! Core 3.9.x Remote Code Execution (3.9.7 - 3.9.8)

Severity

High

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Weak Credentials