CVE-2024-28861
Last modified
CVE-2024-28861 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Starting in version 1.1.0 and prior to version 1.5.19, Symfony 1 has a gadget chain due to dangerous deserialization in `sfNamespacedParameterHolder` class that would enable an attacker to get remote code execution if a developer deserializes user input in their project. EPSS estimates a 1.53% chance of exploitation in the next 30 days.
Description
Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Starting in version 1.1.0 and prior to version 1.5.19, Symfony 1 has a gadget chain due to dangerous deserialization in `sfNamespacedParameterHolder` class that would enable an attacker to get remote code execution if a developer deserializes user input in their project. Version 1.5.19 contains a patch for the issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Friendsofsymfony1 | Symfony1 | >= 1.1.0, < 1.5.9 |
References
- https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433Exploit, Mitigation, Vendor Advisory
- https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433Exploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-28861?
How severe is CVE-2024-28861?
How do I fix CVE-2024-28861?
Are you affected by CVE-2024-28861?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST