CVE-2024-28859

CVSS 3.1 Score 5.0 of 10 (medium)

Details

Published Mar 15, 2024
Updated: Mar 17, 2024
CWE ID 502

Summary

CVE-2024-28859 is a vulnerability in Symfony1, a community fork of Symfony 1.4 with DIC, form enhancements, latest Swiftmailer, better performance, composer compatible and PHP 8 support. The vulnerability exists in the Swift Mailer dependency of Symfony 1, which allows for remote code execution if a developer unserializes user input in their project. This vulnerability does not pose a direct threat but can be exploited by an attacker to execute remote code if a developer deserializes untrusted user data. Symfony 1 depends on Swift Mailer, which is included by default in the vendor directory of the default installation since version 1.3.0. The vulnerability arises from the ability to include any object type in $this->_keys, allowing PHP to access unintended array/object properties and potentially abuse array access triggered during foreach loops. Remediation of this vulnerability involves updating to a patched version of Symfony1 that addresses the issue with Swift Mailer and avoiding the unsafe deserialization of user input.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-28859 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options