← Back

CVE-2015-4050

nvd nistnuclei
Published: Jun 2, 2015Modified: May 6, 2026

JSON object

Loading...
4.3
Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Exploitability: 8.6 / Impact: 2.9
Source: NVD

Description

FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.

Affected (27)

Products: Sensiolabs: Symfony
Sensiolabs
1 product
Symfony
Configuration A
27 vulnerable
Vulnerable SoftwareAffected Versions
Sensiolabs
Symfony
Version 2.3.19
Symfony
Version 2.3.20
Symfony
Version 2.3.21
Symfony
Version 2.3.22
Symfony
Version 2.3.23
Symfony
Version 2.3.24
Symfony
Version 2.3.25
Symfony
Version 2.3.26
Symfony
Version 2.3.27
Symfony
Version 2.3.28
Symfony
Version 2.4.10
Symfony
Version 2.4.9
Symfony
Version 2.5.10
Symfony
Version 2.5.11
Symfony
Version 2.5.4
Symfony
Version 2.5.5
Symfony
Version 2.5.6
Symfony
Version 2.5.7
Symfony
Version 2.5.8
Symfony
Version 2.5.9
Symfony
Version 2.6.0
Symfony
Version 2.6.1
Symfony
Version 2.6.3
Symfony
Version 2.6.4
Symfony
Version 2.6.5
Symfony
Version 2.6.6
Symfony
Version 2.6.7

Related CWEs

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (12)

Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Source: cve@mitre.org
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.