Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2020-5274

Date: March 30, 2020

In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the "ErrorHandler" rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5

Language: PHP

Severity Score

Related Resources (9)

https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5274.yaml
https://security-tracker.debian.org/tracker/CVE-2020-5274
https://nvd.nist.gov/vuln/detail/CVE-2020-5274
https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db
https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad
https://symfony.com/cve-2020-5274
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/error-handler/CVE-2020-5274.yaml
https://www.mend.io/vulnerability-database/CVE-2020-5274

Severity Score

Weakness Type (CWE)

Generation of Error Message Containing Sensitive Information

CWE-209

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): SINGLE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us