Moderate severityNVD Advisory· Published Mar 22, 2024· Updated Aug 20, 2024
Gadget chain in Symfony 1 due to uncontrolled unserialized input in sfNamespacedParameterHolder
CVE-2024-28861
Description
Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Starting in version 1.1.0 and prior to version 1.5.19, Symfony 1 has a gadget chain due to dangerous deserialization in sfNamespacedParameterHolder class that would enable an attacker to get remote code execution if a developer deserializes user input in their project. Version 1.5.19 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
friendsofsymfony1/symfony1Packagist | >= 1.1.0, < 1.5.19 | 1.5.19 |
Affected products
2- Range: >= 1.1.0, < 1.5.19
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-pv9j-c53q-h433ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony1/symfony1/CVE-2024-28861.yamlghsaWEB
- github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171amitrex_refsource_MISC
- github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.