CVE-2018-19789

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-19789
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-19789.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2018-19789
Aliases
Downstream
Published
2018-12-18T22:29:04.947Z
Modified
2026-02-06T22:42:00.353401Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint string in a setter method (e.g. setName(string $name)) of a class that's the data_class of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then UploadedFile::__toString() is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.

References

Affected packages

Git / github.com/symfony/security-http

Affected ranges

Type
GIT
Repo
https://github.com/symfony/security-http
Events
Introduced
34e089af7d363bd2ded8ad15f06b2b97348b97e5
Fixed
2c3b60af1f2884d6afbde03d1c5eefb625defed7
Introduced
de2f3d51160791ef254010953dbde178fee9845f
Fixed
46f402b83ce4b1b37a7351acc692cb348eb66b9f
Introduced
afa69c531f22fb4b9fc95017ec0e5d6c77db0c3c
Fixed
4e0a9bb6239f259a5a6fb11dd41fa6b782ee6ae5
Introduced
a8d5dd00894f8b5e3edb897f4504c51ddc442370
Fixed
c6715f3ffddcabdecb3c9934902621fbdce139c3
Introduced
946668ddc1fa0279fe03e2c090ebc29881f12ddb
Fixed
f56f12f983148be8739112509fa8578bca3b81de
Introduced
5b52f2e8214fdfb82f7ad5d5cd81543f31256bc1
Fixed
f8ea4e3feae37d300f661537878b28d8c7104a1d

Affected versions

v2.*
v2.6.10
v2.6.11
v2.7.0
v2.7.1
v2.7.10
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18
v2.7.19
v2.7.2
v2.7.20
v2.7.21
v2.7.22
v2.7.23
v2.7.24
v2.7.25
v2.7.26
v2.7.27
v2.7.28
v2.7.29
v2.7.3
v2.7.30
v2.7.31
v2.7.32
v2.7.33
v2.7.34
v2.7.35
v2.7.36
v2.7.37
v2.7.38
v2.7.39
v2.7.4
v2.7.40
v2.7.41
v2.7.42
v2.7.43
v2.7.44
v2.7.45
v2.7.46
v2.7.47
v2.7.48
v2.7.49
v2.7.5
v2.7.50
v2.7.51
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v2.8.0-BETA1
v2.8.1
v2.8.10
v2.8.11
v2.8.12
v2.8.13
v2.8.14
v2.8.15
v2.8.16
v2.8.17
v2.8.18
v2.8.19
v2.8.2
v2.8.20
v2.8.21
v2.8.22
v2.8.23
v2.8.24
v2.8.25
v2.8.26
v2.8.27
v2.8.28
v2.8.29
v2.8.3
v2.8.30
v2.8.31
v2.8.32
v2.8.33
v2.8.34
v2.8.35
v2.8.36
v2.8.37
v2.8.38
v2.8.39
v2.8.4
v2.8.40
v2.8.41
v2.8.42
v2.8.43
v2.8.44
v2.8.45
v2.8.46
v2.8.47
v2.8.48
v2.8.49
v2.8.5
v2.8.50
v2.8.52
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v3.*
v3.0.0
v3.0.0-BETA1
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.0-BETA1
v3.1.0-RC1
v3.1.1
v3.1.10
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.0-BETA1
v3.2.0-RC1
v3.2.0-RC2
v3.2.1
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.0-BETA1
v3.3.0-RC1
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.13
v3.3.14
v3.3.15
v3.3.16
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.4.0
v3.4.0-BETA1
v3.4.0-BETA2
v3.4.0-BETA3
v3.4.0-BETA4
v3.4.0-RC1
v3.4.0-RC2
v3.4.1
v3.4.10
v3.4.11
v3.4.12
v3.4.13
v3.4.14
v3.4.15
v3.4.16
v3.4.17
v3.4.18
v3.4.19
v3.4.2
v3.4.20
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9
v4.*
v4.0.0
v4.0.0-BETA1
v4.0.0-BETA2
v4.0.0-BETA3
v4.0.0-BETA4
v4.0.0-RC1
v4.0.0-RC2
v4.0.1
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.15
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.0-BETA1
v4.1.0-BETA2
v4.1.0-BETA3
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.2.0
v4.2.0-BETA2
v4.2.0-RC1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-19789.json"

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
9975b1eca3de4db792a2c3e4e16f676a4aadcd46
Fixed
0848ce2c7f3c3ba6cece3f9457a96b176b05860c
Introduced
58261043876feb695640457c5675bb331a6eb3b7
Fixed
9993cdc7e9358e57a9c09d636fbe92ed9e797315
Introduced
26ca7023b1c45dce951da7206ed70049267d27bc
Fixed
a1cce5a8b410d3a760bd86bf9250236858a7905d
Introduced
7bd9a1bae87e6b2d7eba499ebf3053ff4bc3a483
Fixed
cadb4e8e3cb8dc472bf9f6c6a7419f0f280255b6
Introduced
eb2a4f5f7a09fc4ce7a74ae883a8cf8a279614f5
Fixed
f6b8ddc362b1cf3fb06548693c3adbb736092412
Introduced
5615b92cd452cd54f1433a3f53de87c096a1107f
Fixed
f8ac64c075a36bedd0de43192d9601c20b99716e

Affected versions

v2.*
v2.3.30
v2.3.31
v2.3.32
v2.3.33
v2.3.34
v2.3.35
v2.3.36
v2.3.37
v2.3.38
v2.3.39
v2.3.40
v2.3.41
v2.3.42
v2.6.10
v2.7.0
v2.7.1
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18
v2.7.19
v2.7.2
v2.7.20
v2.7.21
v2.7.22
v2.7.23
v2.7.24
v2.7.25
v2.7.26
v2.7.27
v2.7.28
v2.7.29
v2.7.3
v2.7.30
v2.7.31
v2.7.32
v2.7.33
v2.7.34
v2.7.35
v2.7.36
v2.7.37
v2.7.38
v2.7.39
v2.7.4
v2.7.40
v2.7.41
v2.7.42
v2.7.43
v2.7.44
v2.7.45
v2.7.46
v2.7.47
v2.7.48
v2.7.49
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v2.8.0-BETA1
v2.8.1
v2.8.10
v2.8.11
v2.8.12
v2.8.13
v2.8.14
v2.8.15
v2.8.16
v2.8.17
v2.8.18
v2.8.19
v2.8.2
v2.8.20
v2.8.21
v2.8.22
v2.8.23
v2.8.24
v2.8.25
v2.8.26
v2.8.27
v2.8.28
v2.8.29
v2.8.3
v2.8.30
v2.8.31
v2.8.32
v2.8.33
v2.8.34
v2.8.35
v2.8.36
v2.8.37
v2.8.38
v2.8.39
v2.8.4
v2.8.40
v2.8.41
v2.8.42
v2.8.43
v2.8.44
v2.8.45
v2.8.46
v2.8.47
v2.8.48
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v3.*
v3.0.0
v3.0.0-BETA1
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.1.0
v3.1.0-BETA1
v3.1.0-RC1
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.0-BETA1
v3.2.0-RC1
v3.2.0-RC2
v3.2.1
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.0-BETA1
v3.3.0-RC1
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.13
v3.3.14
v3.3.15
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.4.0
v3.4.0-BETA1
v3.4.0-BETA2
v3.4.0-BETA3
v3.4.0-BETA4
v3.4.0-RC1
v3.4.0-RC2
v3.4.1
v3.4.10
v3.4.11
v3.4.12
v3.4.13
v3.4.14
v3.4.15
v3.4.16
v3.4.17
v3.4.18
v3.4.19
v3.4.2
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9
v4.*
v4.0.0
v4.0.0-BETA1
v4.0.0-BETA2
v4.0.0-BETA3
v4.0.0-BETA4
v4.0.0-RC1
v4.0.0-RC2
v4.0.1
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.0-BETA1
v4.1.0-BETA2
v4.1.0-BETA3
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-19789.json"