CVE-2020-5274

MEDIUM EPSS 64.2%
Published Mar 30, 20206y ago · Modified Jun 17, 20262w ago
5.4 CVSS 3.1
Medium
Find Similar
Published Mar 30, 2020 6y ago
Last Modified Jun 17, 2026 2w ago

Description

In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5

CVSS Details

Base Score
5.4
Exploitability
2.8
Impact
2.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
64.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-209

Affected Products 2

VendorProductVersionRange
sensiolabssymfony*≥4.4.0  –  <4.4.4
sensiolabssymfony*≥5.0.0  –  <5.0.4

References 3

  • github.com https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db
    PatchThird Party Advisory
  • github.com https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad
    PatchThird Party Advisory
  • github.com https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2
    Third Party Advisory

Remediation

  • github.com https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db
    PatchThird Party Advisory
  • github.com https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad
    PatchThird Party Advisory