CVE-2024-28861
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-28861
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-28861.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-28861
- Aliases
- Published
- 2024-03-22T16:43:18.453Z
- Modified
- 2025-12-07T04:07:52.223588Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Gadget chain in Symfony 1 due to uncontrolled unserialized input in sfNamespacedParameterHolder
- Details
-
Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Starting in version 1.1.0 and prior to version 1.5.19, Symfony 1 has a gadget chain due to dangerous deserialization in
sfNamespacedParameterHolderclass that would enable an attacker to get remote code execution if a developer deserializes user input in their project. Version 1.5.19 contains a patch for the issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/28xxx/CVE-2024-28861.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-502" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/28xxx/CVE-2024-28861.json
- https://github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171a
- https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433
- https://nvd.nist.gov/vuln/detail/CVE-2024-28861