CVE-2024-51736

Published: Nov 6, 2024Modified: Sep 4, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected (3)

Products: Sensiolabs: Symfony

1 product

Configuration A

3 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sensiolabs Symfony	Before 5.4.46
Sensiolabs Symfony	From 6.0.0 to 6.4.14
Sensiolabs Symfony	From 7.0.0 to 7.1.7

Running on/with	Platform Versions
Microsoft Windows	All versions

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (2)

https://github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q

Source: security-advisories@github.com

Vendor Advisory

https://github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.