VDB
CVE-2015-4050
CVE-2015-4050
REJECTED
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.
EPSS 76.19% · 98.9th percentile
Risk Scores
EPSS Score
76.19%
98.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | symfony | 0, 2.8.7+dfsg-1.3ubuntu1, 3.4.3+dfsg-1ubuntu4 |
| Ubuntu:16.04:LTS | symfony | 2.7.9+dfsg-1, *, 2.7.9+dfsg-1ubuntu2 |
Exploit Intelligence
- http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access (circl)
- FEDORA-2015-9039 (circl)
- DSA-3276 (circl)
- FEDORA-2015-9034 (circl)
- FEDORA-2015-9025 (circl)
- 74928 (circl)
- Nuclei Template: CVE-2015-4050 (nuclei-template)
- Nuclei Template: CVE-2015-4050 (nuclei-template)
- Nuclei Template: CVE-2015-4050 (nuclei-template)
- Nuclei Template: CVE-2015-4050 (nuclei-template)
…and 4 more exploits
Timeline
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- May 25, 2023 EPSS Score
- Sep 7, 2023 EPSS Score
- Oct 29, 2023 EPSS Score
- Dec 21, 2023 EPSS Score
- Apr 4, 2024 EPSS Score
References
- https://ubuntu.com/security/CVE-2015-4050 third-party-advisory
- http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2015-4050 third-party-advisory