Moderate severityNVD Advisory· Published Jun 24, 2015· Updated Jun 17, 2026
CVE-2015-2308
CVE-2015-2308
Description
Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/symfonyPackagist | >= 2.0.0, < 2.3.27 | 2.3.27 |
symfony/symfonyPackagist | >= 2.4.0, < 2.5.11 | 2.5.11 |
symfony/symfonyPackagist | >= 2.6.0, < 2.6.6 | 2.6.6 |
symfony/http-kernelPackagist | >= 2.0.0, < 2.3.27 | 2.3.27 |
symfony/http-kernelPackagist | >= 2.4.0, < 2.5.11 | 2.5.11 |
symfony/http-kernelPackagist | >= 2.6.0, < 2.6.6 | 2.6.6 |
Affected products
77cpe:2.3:a:sensiolabs:symfony:2.0.0:*:*:*:*:*:*:*+ 74 more
- cpe:2.3:a:sensiolabs:symfony:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.19:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.20:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.21:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.22:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.23:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.24:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.25:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.3.26:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.6.5:*:*:*:*:*:*:*
- ghsa-coords2 versions
>= 2.0.0, < 2.3.27+ 1 more
- (no CPE)range: >= 2.0.0, < 2.3.27
- (no CPE)range: >= 2.0.0, < 2.3.27
Patches
Vulnerability mechanics
References
11- symfony.com/blog/cve-2015-2308-esi-code-injectionnvdPatchVendor AdvisoryWEB
- jvn.jp/en/jp/JVN19578958/index.htmlnvdVendor AdvisoryWEB
- jvndb.jvn.jp/jvndb/JVNDB-2015-000089nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-5c58-w9xc-qcj9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-2308ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2015-2308.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-2308.yamlghsaWEB
- github.com/symfony/symfony/pull/14167/commits/195c57e1f50765aff33137689b16e126a689056aghsaWEB
- symfony.com/cve-2015-2308ghsaWEB
- web.archive.org/web/20200228084751/http://www.securityfocus.com/bid/75357ghsaWEB
- www.securityfocus.com/bid/75357nvd
News mentions
0No linked articles in our index yet.