Description
It was identified that this application supports the legacy headers X-Original-URL and/or X-Rewrite-URL.
Support for these headers lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header and allows a user to access one URL but have web application return a different one which can bypass restrictions on higher level caches and web servers.
Many web frameworks such as Symfony 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13 and 4.1.0 to 4.1.2 , zend-diactoros up to 1.8.4, zend-http up to 2.8.1, zend-feed up to 2.10.3 are affected by this security issue.
Remediation
Upgrade the affected web frameworks to their latest versions.
References
Related Vulnerabilities
WordPress Plugin Responsive Poll Security Bypass (1.3.4)
WordPress Plugin YITH WooCommerce Recover Abandoned Cart Security Bypass (1.3.2)
WordPress Plugin FlyingPress Security Bypass (3.9.6)
WordPress Plugin wpCentral Security Bypass (1.4.7)
WordPress Plugin Blog2Social:Social Media Auto Post & Scheduler Security Bypass (6.9.11)