5.3

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-19789

CVE-2018-19789: Symfony Path Disclosure

An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint string in a setter method (e.g. setName(string $name)) of a class that's the data_class of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then UploadedFile::__toString() is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2018-19789

CVE-2018-19789:

5.3

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/symfony	composer	>= 2.7.0, < 2.7.50	2.7.50
symfony/symfony	composer	>= 2.8.0, < 2.8.49	2.8.49
symfony/symfony	composer	>= 3.0.0, < 3.4.20	3.4.20
symfony/symfony	composer	>= 4.0.0, < 4.0.15	4.0.15
symfony/symfony	composer	>= 4.1.0, < 4.1.9	4.1.9
symfony/symfony	composer	>= 4.2.0, < 4.2.1	4.2.1
symfony/form	composer	>= 2.7.0, < 2.7.50	2.7.50
symfony/form	composer	>= 2.8.0, < 2.8.49	2.8.49
symfony/form	composer	>= 3.0.0, < 3.4.20	3.4.20
symfony/form	composer	>= 4.0.0, < 4.0.15	4.0.15
symfony/form	composer	>= 4.1.0, < 4.1.9	4.1.9
symfony/form	composer	>= 4.2.0, < 4.2.1	4.2.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of file uploads in form fields not designed to accept files. The Form::submit method in vulnerable versions lacked the 'allow_file_upload' check shown in the patch (added via the transformationFailure logic). This allowed UploadedFile objects to reach setters expecting strings, triggering __toString() and path disclosure. The patch adds validation in this method to reject file uploads for non-file fields, confirming this as the vulnerable point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2018-19789: Symfony Path Disclosure

CVE-2018-19789:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2018-19789: Symfony Path Disclosure

5.3

5.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI