Description

Your Symfony web application is using a weak/predictable application secret (APP_SECRET).

An attacker can use this secret to potentially execute arbitrary PHP code using the ESI (Edge-Side Includes) functionality that is accessible at /_fragment.

Remediation

It's recommended to change the Symfony's application secret (APP_SECRET) to a long random string.

References

Secret Fragments

Acunetix

Related Vulnerabilities

WordPress Plugin Duplicator-WordPress Migration Remote Code Execution (1.2.40)

XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-35150)

WordPress Plugin W3 Total Cache PHP Code Injection (0.9.2.8)

Craft CMS register_argc_argv RCE (CVE-2024-56145)

WordPress Plugin BackWPup Remote and Local Code Execution (1.6.1)

Severity

High

Classification

CWE-94 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Weak Credentials