VYPR
← All advisories
Moderate severityNVD Advisory· Published May 16, 2019· Updated Aug 4, 2024

CVE-2019-10909

CVE-2019-10909

Description

In Symfony, validation messages are not escaped, leading to cross-site scripting (XSS) when user input is included in the messages.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Symfony, validation messages are not escaped, leading to cross-site scripting (XSS) when user input is included in the messages.

Vulnerability

The Symfony framework-bundle fails to escape validation messages before rendering them. When user-supplied data is included in these messages, an attacker can inject arbitrary HTML or JavaScript. This affects Symfony versions before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7 [1][2]. The root cause is insufficient output encoding in the validation error handling process.

Exploitation

An attacker can trigger the vulnerability by submitting crafted input that triggers a validation error. The malicious content is then reflected in the validation messages shown to the user. No authentication is required, but the attack typically requires user interaction (e.g., clicking on a crafted link) to achieve reflected XSS [2]. The CVSS 3.0 base score is 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) [2].

Impact

Successful exploitation allows an attacker to execute arbitrary script in the victim's browser within the context of the affected application. This can lead to session hijacking, credential theft, or defacement. The confidentiality and integrity impact are rated low, but the scope has changed, meaning the attack affects the application's security boundary [2].

Mitigation

The vulnerability is fixed in Symfony versions 2.7.51, 2.8.50, 3.4.26, 4.1.12, and 4.2.7. Users should upgrade to these patched versions or later [1][4]. No workarounds are documented; updating the symfony/framework-bundle component is the recommended remediation.

References
  1. NVD - CVE-2019-10909
  2. Synology_SA_19_19 | Synology Inc.
  3. security-advisories/symfony/framework-bundle/CVE-2019-10909.yaml at master · FriendsOfPHP/security-advisories

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
symfony/symfonyPackagist
>= 2.7.0, < 2.7.512.7.51
symfony/symfonyPackagist
>= 2.8.0, < 2.8.502.8.50
symfony/symfonyPackagist
>= 3.0.0, < 3.4.263.4.26
symfony/symfonyPackagist
>= 4.0.0, < 4.1.124.1.12
symfony/symfonyPackagist
>= 4.2.0, < 4.2.74.2.7
symfony/framework-bundlePackagist
>= 2.7.0, < 2.7.512.7.51
symfony/framework-bundlePackagist
>= 2.8.0, < 2.8.502.8.50
symfony/framework-bundlePackagist
>= 3.0.0, < 3.4.263.4.26
symfony/framework-bundlePackagist
>= 4.0.0, < 4.1.124.1.12
symfony/framework-bundlePackagist
>= 4.2.0, < 4.2.74.2.7
drupal/corePackagist
>= 8.0.0, < 8.5.158.5.15
drupal/corePackagist
>= 8.6.0, < 8.6.158.6.15
drupal/drupalPackagist
>= 8.0.0, < 8.5.158.5.15
drupal/drupalPackagist
>= 8.6.0, < 8.6.158.6.15

Affected products

5

Patches

1
ab4d05358c3d

Fix XSS issues in the form theme of the PHP templating engine

https://github.com/symfony/symfonyChristophe CoevoetApr 6, 2019via ghsa
commit
3 files changed · +4 4
  • src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/choice_widget_collapsed.html.php+1 1 modified
    @@ -11,7 +11,7 @@
     <?php if (count($preferred_choices) > 0): ?>
         <?php echo $view['form']->block($form, 'choice_widget_options', ['choices' => $preferred_choices]) ?>
         <?php if (count($choices) > 0 && null !== $separator): ?>
-            <option disabled="disabled"><?php echo $separator ?></option>
+            <option disabled="disabled"><?php echo $view->escape($separator) ?></option>
         <?php endif ?>
     <?php endif ?>
     <?php echo $view['form']->block($form, 'choice_widget_options', ['choices' => $choices]) ?>
  • src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_errors.html.php+1 1 modified
    @@ -1,7 +1,7 @@
 <?php if (count($errors) > 0): ?>
     <ul>
         <?php foreach ($errors as $error): ?>
-            <li><?php echo $error->getMessage() ?></li>
+            <li><?php echo $view->escape($error->getMessage()) ?></li>
         <?php endforeach; ?>
     </ul>
 <?php endif ?>
  • src/Symfony/Bundle/FrameworkBundle/Resources/views/Form/form_start.html.php+2 2 modified
    @@ -1,6 +1,6 @@
 <?php $method = strtoupper($method) ?>
 <?php $form_method = $method === 'GET' || $method === 'POST' ? $method : 'POST' ?>
-<form name="<?php echo $name ?>" method="<?php echo strtolower($form_method) ?>"<?php if ($action !== ''): ?> action="<?php echo $action ?>"<?php endif ?><?php foreach ($attr as $k => $v) { printf(' %s="%s"', $view->escape($k), $view->escape($v)); } ?><?php if ($multipart): ?> enctype="multipart/form-data"<?php endif ?>>
+<form name="<?php echo $name ?>" method="<?php echo strtolower($form_method) ?>"<?php if ($action !== ''): ?> action="<?php echo $view->escape($action) ?>"<?php endif ?><?php foreach ($attr as $k => $v) { printf(' %s="%s"', $view->escape($k), $view->escape($v)); } ?><?php if ($multipart): ?> enctype="multipart/form-data"<?php endif ?>>
 <?php if ($form_method !== $method): ?>
-    <input type="hidden" name="_method" value="<?php echo $method ?>" />
+    <input type="hidden" name="_method" value="<?php echo $view->escape($method) ?>" />
 <?php endif ?>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.