CVE-2019-10909

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

References

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type

GIT

Repo

https://github.com/drupal/drupal

Events

Introduced

b73ab73d39dca97a12513e8a9e4f4da4b0676f5f

Fixed

c5bc3922f27c93ab3669428a504212adb801400f

Introduced

9b04d294324d9c76be4b596de4316cb8804e8223

Fixed

91ded4b7776e05ee9633bdc1c458b41c718133e0

Database specific

{
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "8.5.0"
        },
        {
            "fixed": "8.5.15"
        },
        {
            "introduced": "8.6.0"
        },
        {
            "fixed": "8.6.15"
        }
    ],
    "cpe": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"
}

Affected versions

8.*

8.5.0

8.5.12

8.5.13

8.5.14

8.5.4

8.5.5

8.5.7

8.6.0

8.6.1

8.6.11

8.6.12

8.6.14

8.6.3

8.6.4

8.6.5

8.6.8

8.6.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10909.json"

Git / github.com/symfony/symfony

Affected ranges

Type

GIT

Repo

https://github.com/symfony/symfony

Events

Introduced

9975b1eca3de4db792a2c3e4e16f676a4aadcd46

Fixed

20f9c87a12a0749ad3a96da256b4d0f95aad4beb

Introduced

5615b92cd452cd54f1433a3f53de87c096a1107f

Fixed

2ef4e09343bdbdee0a7968f58b8ec594ce0aa47d

Introduced

0a47db379b8cc74cdd84e1e6870fafc4a4ac8351

Fixed

1b89e7baec9891c323bbf1ec81af77d901fc60c9

Introduced

58261043876feb695640457c5675bb331a6eb3b7

Fixed

482d06316077da115e5dac2afd2a7ce9f5f100f7

Introduced

7bd9a1bae87e6b2d7eba499ebf3053ff4bc3a483

Fixed

6122c791d640b75702514c18c8aae816dbbefae2

Fixed

ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2

Database specific

{
    "source": [
        "CPE_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "2.7.0"
        },
        {
            "fixed": "2.7.51"
        },
        {
            "introduced": "2.8.0"
        },
        {
            "fixed": "2.8.50"
        },
        {
            "introduced": "3.4.0"
        },
        {
            "fixed": "3.4.26"
        },
        {
            "introduced": "4.1.0"
        },
        {
            "fixed": "4.1.12"
        },
        {
            "introduced": "4.2.0"
        },
        {
            "fixed": "4.2.7"
        }
    ],
    "cpe": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*"
}

Affected versions

v2.*

v2.7.0

v2.7.1

v2.7.10

v2.7.11

v2.7.12

v2.7.13

v2.7.14

v2.7.15

v2.7.16

v2.7.17

v2.7.18

v2.7.19

v2.7.2

v2.7.20

v2.7.21

v2.7.22

v2.7.23

v2.7.24

v2.7.25

v2.7.26

v2.7.27

v2.7.28

v2.7.29

v2.7.3

v2.7.30

v2.7.31

v2.7.32

v2.7.33

v2.7.34

v2.7.35

v2.7.36

v2.7.37

v2.7.38

v2.7.39

v2.7.4

v2.7.40

v2.7.41

v2.7.42

v2.7.43

v2.7.44

v2.7.45

v2.7.46

v2.7.47

v2.7.48

v2.7.49

v2.7.5

v2.7.50

v2.7.6

v2.7.7

v2.7.8

v2.7.9

v2.8.0

v2.8.1

v2.8.10

v2.8.11

v2.8.12

v2.8.13

v2.8.14

v2.8.15

v2.8.16

v2.8.17

v2.8.18

v2.8.19

v2.8.2

v2.8.20

v2.8.21

v2.8.22

v2.8.23

v2.8.24

v2.8.25

v2.8.26

v2.8.27

v2.8.28

v2.8.29

v2.8.3

v2.8.30

v2.8.31

v2.8.32

v2.8.33

v2.8.34

v2.8.35

v2.8.36

v2.8.37

v2.8.38

v2.8.39

v2.8.4

v2.8.40

v2.8.41

v2.8.42

v2.8.43

v2.8.44

v2.8.45

v2.8.46

v2.8.47

v2.8.48

v2.8.49

v2.8.5

v2.8.6

v2.8.7

v2.8.8

v2.8.9

v3.*

v3.4.0

v3.4.1

v3.4.10

v3.4.11

v3.4.12

v3.4.13

v3.4.14

v3.4.15

v3.4.16

v3.4.17

v3.4.18

v3.4.19

v3.4.2

v3.4.20

v3.4.21

v3.4.22

v3.4.23

v3.4.24

v3.4.25

v3.4.3

v3.4.4

v3.4.5

v3.4.6

v3.4.7

v3.4.8

v3.4.9

v4.*

v4.1.0

v4.1.1

v4.1.10

v4.1.11

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.1.7

v4.1.8

v4.1.9

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.2.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10909.json"