Headline

GHSA-mmcv-fvq8-r9x3: Symfony XML decoding attack vector through external entities

The XMLEncoder component of Symfony 2.0.x fails to disable external entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system.

7 months ago

ghsa

Open in Source

#vulnerability #git

Navigation Menu

- Actions
  
  Automate any workflow
- Packages
  
  Host and manage packages
- Security
  
  Find and fix vulnerabilities
- Codespaces
  
  Instant dev environments
- Copilot
  
  Write better code with AI
- Code review
  
  Manage code changes
- Issues
  
  Plan and track work
- Discussions
  
  Collaborate outside of code

- GitHub Sponsors
  
  Fund open source developers

*   The ReadME Project
    
    GitHub community articles

Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

GitHub Advisory Database
GitHub Reviewed
GHSA-mmcv-fvq8-r9x3

Symfony XML decoding attack vector through external entities

Critical severity GitHub Reviewed Published May 30, 2024 to the GitHub Advisory Database • Updated May 30, 2024

Package

composer symfony/symfony (Composer)

Affected versions

>= 2.0.0, < 2.0.11

Description

Published to the GitHub Advisory Database

May 30, 2024

Last updated

May 30, 2024

ghsa: Latest News

GHSA-j4jw-m6xr-fv6c: Soft Serve vulnerable to path traversal attacks

42 minutes ago

ghsa

GHSA-95m2-chm4-mq7m: PHP-Textile has persistent XSS vulnerability in image link handling

23 hours ago

ghsa

GHSA-2r2v-9pf8-6342: WireGuard Portal v2 Vulnerable to OAuth Insecure Redirect URI / Account Takeover

1 day ago

ghsa

GHSA-r5vf-wf4h-82gg: matrix-sdk-crypto missing facility to signal rotation of a verified cryptographic identity

1 day ago

ghsa

GHSA-f27p-cmv8-xhm6: fetch: Authorization headers not dropped when redirecting cross-origin

1 day ago

ghsa