Description

Your Symfony web application is using a weak/predictable application secret (APP_SECRET).

An attacker can use this secret to potentially execute arbitrary PHP code using the ESI (Edge-Side Includes) functionality that is accessible at /_fragment.

Remediation

It's recommended to change the Symfony's application secret (APP_SECRET) to a long random string.

References

Secret Fragments

Acunetix

Related Vulnerabilities

Drupal Core 9.0.0 Remote Code Execution (9.0.0)

Drupal Core 8.5.0 Remote Code Execution (8.5.0)

MobileIron Remote Code Execution via LogService

Social Photo Gallery Remote Code Execution (1.0)

PHP 5.3.9 remote code execution

Severity

High

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Code Execution Weak Credentials