CVE-2024-28859

Summary

CVE-2024-28859 is a vulnerability in Symfony1, a community fork of Symfony 1.4 with DIC, form enhancements, latest Swiftmailer, better performance, composer compatible and PHP 8 support. The vulnerability exists in the Swift Mailer dependency of Symfony 1, which allows for remote code execution if a developer unserializes user input in their project. This vulnerability does not pose a direct threat but can be exploited by an attacker to execute remote code if a developer deserializes untrusted user data. Symfony 1 depends on Swift Mailer, which is included by default in the vendor directory of the default installation since version 1.3.0. The vulnerability arises from the ability to include any object type in `$this->_keys`, allowing PHP to access unintended array/object properties and potentially abuse array access triggered during foreach loops. Remediation of this vulnerability involves updating to a patched version of Symfony1 that addresses the issue with Swift Mailer and avoiding the unsafe deserialization of user input.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.