cvedb.io
CVE-2018-19789
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2018-12-18T22:29:04.947 · Last modified 2026-06-17T01:49:53.127

Summary

An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `string` in a setter method (e.g. `setName(string $name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.

Affected products

sensiolabs — symfony

Does this affect you?

Add your gear to cvedb and we'll alert you only when sensiolabs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.