CVE-2019-11325
First published: Wed Nov 13 2019(Updated: )
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/symfony/symfony | >=4.2.0<4.2.12>=4.3.0<4.3.8 | |
| composer/symfony/var-exporter | >=4.2.0<4.2.12>=4.3.0<4.3.8 | |
| SensioLabs Symfony | >=4.2.0<4.2.12 | |
| SensioLabs Symfony | >=4.3.0<4.3.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-11325?
CVE-2019-11325 is a vulnerability related to the escaping of strings in VarExporter.
Which software is affected by CVE-2019-11325?
The vulnerability affects the Symfony framework versions 4.2.0 up to 4.2.12 and 4.3.0 up to 4.3.8, as well as the VarExporter package within Symfony.
How severe is CVE-2019-11325?
The severity of CVE-2019-11325 is not defined in the provided information.
How can I fix CVE-2019-11325?
To fix CVE-2019-11325, update the affected Symfony framework or VarExporter package to versions beyond the vulnerable range.
Where can I find more information about CVE-2019-11325?
More information about CVE-2019-11325 can be found at the following reference: [https://symfony.com/cve-2019-11325](https://symfony.com/cve-2019-11325)
- collector/friends-of-php
- collector/nvd-index
- agent/references
- agent/weakness
- agent/author
- agent/severity
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/remedy
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/composer
- vendor/sensiolabs
- canonical/sensiolabs symfony
- version/sensiolabs symfony/4.2.0
- version/sensiolabs symfony/4.3.0