Description

Your Symfony web application is using a weak/predictable application secret (APP_SECRET).

An attacker can use this secret to potentially execute arbitrary PHP code using the ESI (Edge-Side Includes) functionality that is accessible at /_fragment.

Remediation

It's recommended to change the Symfony's application secret (APP_SECRET) to a long random string.

References

Secret Fragments

Acunetix

Related Vulnerabilities

WordPress Plugin Include Me Remote Code Execution (1.2.1)

WordPress Plugin WP Super Cache Remote Code Execution (1.7.1)

WordPress 2.6.2 Remote Code Execution Vulnerability (0.70 - 2.6.2)

Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution

PHP code injection

Severity

High

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Code Execution Weak Credentials