-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| symfony/symfony | composer | = 2.2-dev | |
| symfony/symfony | composer | >= 2.0.0, < 2.0.20 | 2.0.20 |
| symfony/symfony | composer | >= 2.1.0, < 2.1.5 | 2.1.5 |
Miggo AIRoot Cause AnalysisThe vulnerability stemmed from the InternalController's indexAction being accessible via /_internal routes. This controller action accepted a 'controller' parameter that could reference any service in the container. Before patches (1f8c501), it lacked proper validation of the controller class name, enabling execution of arbitrary services. The Symfony security blog explicitly identifies this controller as the attack vector and describes how unsecured access to it allowed service execution.
Ongoing coverage of React2Shell