In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.
https://www.synology.com/security/advisory/Synology_SA_19_19
https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid
https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737b