CVE-2019-11325

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-11325
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11325.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-11325
Aliases
Downstream
Published
2019-11-21T23:15:13.297Z
Modified
2026-03-10T22:07:54.017304Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.

References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
7bd9a1bae87e6b2d7eba499ebf3053ff4bc3a483
Fixed
7b0ca3ab5678232f876a95991b66778f4aaa33e3
Introduced
0bf8d128ef3c492436ab5f1b7c7b130f9e96aad2
Fixed
87fb08703e62882a7a6fdb17672070e0ee12dd65
Database specific 
{
    "versions": [
        {
            "introduced": "4.2.0"
        },
        {
            "fixed": "4.2.12"
        },
        {
            "introduced": "4.3.0"
        },
        {
            "fixed": "4.3.8"
        }
    ]
}

Affected versions

v2.*
v2.7.48
v2.7.49
v3.*
v3.4.20
v3.4.21
v3.4.22
v3.4.23
v3.4.24
v3.4.25
v3.4.26
v3.4.27
v3.4.28
v3.4.29
v3.4.30
v3.4.31
v3.4.32
v3.4.33
v3.4.34
v4.*
v4.1.10
v4.1.9
v4.2.0
v4.2.1
v4.2.10
v4.2.11
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v4.3.0
v4.3.0-BETA1
v4.3.0-BETA2
v4.3.0-RC1
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11325.json"