4.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5274

GHSA ID

GHSA-m884-279h-32v2

EPSS Score

0.50041%

CWE

CWE-209

Published

3/30/2020

Updated

2/6/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-5274

CVE-2020-5274:
Exceptions displayed in non-debug configurations in Symfony

Description

When ErrorHandler renders an exception HTML page, it uses un-escaped properties from the related Exception class to render the stacktrace. The security issue comes from the fact that the stacktraces were also displayed in non-debug environments.

Resolution

The ErrorHandler class now escapes all properties coming from the related Exception, and the stacktrace is not displayed anymore in non-debug environments.

The patches for this issue are available here and here for branch 4.4.

Credits

I would like to thank Luka Sikic for reporting & Yonel Ceruto and Jérémy Derussé for fixing the issue.

(GitHub Advisory)

4.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5274

GHSA ID

GHSA-m884-279h-32v2

EPSS Score

0.50041%

CWE

CWE-209

Published

3/30/2020

Updated

2/6/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/error-handler	composer	>= 4.4.0, < 4.4.4	4.4.4
symfony/error-handler	composer	>= 5.0.0, < 5.0.4	5.0.4
symfony/symfony	composer	>= 4.4.0, < 4.4.4	4.4.4
symfony/symfony	composer	>= 5.0.0, < 5.0.4	5.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues: 1) The ErrorHandler.renderException method used scopedErrors to determine debug mode instead of the application's actual debug configuration, causing stacktraces to be displayed in production. 2) The HtmlErrorRenderer.template outputted exception properties (class, message, trace details) without HTML escaping, enabling XSS if exception messages contained user-controlled data. The commits fixed these by introducing a proper debug flag and adding escaping in the template rendering logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*ription ----------- W**n `*rror**n*l*r` r*n**rs *n *x**ption *TML p***, it us*s un-*s**p** prop*rti*s *rom t** r*l*t** *x**ption *l*ss to r*n**r t** st**ktr***. T** s**urity issu* *om*s *rom t** ***t t**t t** st**ktr***s w*r* *lso *ispl*y** in n

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) T** `*rror**n*l*r.r*n**r*x**ption` m*t*o* us** s*op***rrors to **t*rmin* ***u* mo** inst*** o* t** *ppli**tion's **tu*l ***u* *on*i*ur*tion, **usin* st**ktr***s to ** *ispl*y** in pro*u*tion. *) T** `*t

4.6

Basic Information

Concerned about an active attack path?

CVE-2020-5274: Exceptions displayed in non-debug configurations in Symfony

Description

Resolution

Credits

4.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-5274:
Exceptions displayed in non-debug configurations in Symfony

Vulnerability Intelligence
Miggo AI