RCE in Sensiolabs Symfony

CVE-2015-2308

Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.005 (68.1th percentile) — read the EPSS interpretation.

Affected products

Sensiolabs Symfony — versions 2.0.0, 2.0.1, 2.0.2
N/a — versions n/a

Weakness classification (CWE)

CWE-94 — Code Injection

References

cve@mitre.org (x_refsource_CONFIRM, Patch, Vendor Advisory)
JVNDB-2015-000089 (x_refsource_JVNDB, third-party-advisory, Vendor Advisory)
JVN#19578958 (x_refsource_JVN, third-party-advisory, Vendor Advisory)
75357 (vdb-entry, x_refsource_BID)