Moderate severityNVD Advisory· Published Jun 24, 2015· Updated May 6, 2026
CVE-2015-2308
CVE-2015-2308
Description
Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/symfonyPackagist | >= 2.0.0, < 2.3.27 | 2.3.27 |
symfony/symfonyPackagist | >= 2.4.0, < 2.5.11 | 2.5.11 |
symfony/symfonyPackagist | >= 2.6.0, < 2.6.6 | 2.6.6 |
symfony/http-kernelPackagist | >= 2.0.0, < 2.3.27 | 2.3.27 |
symfony/http-kernelPackagist | >= 2.4.0, < 2.5.11 | 2.5.11 |
symfony/http-kernelPackagist | >= 2.6.0, < 2.6.6 | 2.6.6 |
Affected products
75cpe:2.3:a:sensiolabs:symfony:2.0.0:*:*:*:*:*:*:*+ 74 more
- cpe:2.3:a:sensiolabs:symfony:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.19:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.20:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.21:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.22:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.23:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.24:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.25:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.26:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.6.5:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- symfony.com/blog/cve-2015-2308-esi-code-injectionnvdPatchVendor AdvisoryWEB
- jvn.jp/en/jp/JVN19578958/index.htmlnvdVendor AdvisoryWEB
- jvndb.jvn.jp/jvndb/JVNDB-2015-000089nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-5c58-w9xc-qcj9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-2308ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2015-2308.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-2308.yamlghsaWEB
- github.com/symfony/symfony/pull/14167/commits/195c57e1f50765aff33137689b16e126a689056aghsaWEB
- symfony.com/cve-2015-2308ghsaWEB
- web.archive.org/web/20200228084751/http://www.securityfocus.com/bid/75357ghsaWEB
- www.securityfocus.com/bid/75357nvd
News mentions
0No linked articles in our index yet.