Description
Your Symfony web application is using a weak/predictable application secret (APP_SECRET).
An attacker can use this secret to potentially execute arbitrary PHP code using the ESI (Edge-Side Includes) functionality that is accessible at /_fragment.
Remediation
It's recommended to change the Symfony's application secret (APP_SECRET) to a long random string.
References
Related Vulnerabilities
WordPress Plugin Duplicator-WordPress Migration Remote Code Execution (1.2.40)
XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-35150)
WordPress Plugin W3 Total Cache PHP Code Injection (0.9.2.8)
Craft CMS register_argc_argv RCE (CVE-2024-56145)
WordPress Plugin BackWPup Remote and Local Code Execution (1.6.1)