Vulnerability Details : CVE-2012-5574
lib/form/sfForm.class.php in Symfony CMS before 1.4.20 allows remote attackers to read arbitrary files via a crafted upload request.
Products affected by CVE-2012-5574
- cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.14:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.13:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.16:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.15:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.17:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:1.4.18:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-5574
1.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-5574
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2012-5574
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-5574
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093920.html
[SECURITY] Fedora 17 Update: php-symfony-symfony-1.4.20-2.fc17
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/80309
Symfony unspecified information disclosure CVE-2012-5574 Vulnerability Report
-
http://www.openwall.com/lists/oss-security/2012/11/26/12
oss-security - Re: CVE Request -- Symfony (php-symfony-symfony) < 1.4.20: Ability to read arbitrary files on the server, readable with the web server privilegesPatch
-
https://bugzilla.redhat.com/show_bug.cgi?id=880240
880240 – (CVE-2012-5574) CVE-2012-5574 php-symfony-symfony: Ability to read arbitrary files on the server, readable with the web server privileges
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093698.html
[SECURITY] Fedora 18 Update: php-symfony-symfony-1.4.20-2.fc18
-
https://bugs.gentoo.org/show_bug.cgi?id=444696
444696 – (CVE-2012-5574) <dev-php/symfony-1.4.20: Allows reading any file stored on the server if it is readable by the web server (CVE-2012-5574)Exploit
-
http://symfony.com/blog/security-release-symfony-1-4-20-released
Security release: symfony 1.4.20 released (Symfony Blog)Patch;Vendor Advisory
-
http://trac.symfony-project.org/changeset/33598
Symfony, High Performance PHP Framework for Web DevelopmentPatch
-
http://www.securityfocus.com/bid/56685
Symfony CVE-2012-5574 Arbitrary File Access Vulnerability
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093922.html
[SECURITY] Fedora 16 Update: php-symfony-symfony-1.4.20-2.fc16
Jump to