Symfony versions prior to 5.4.46 or 6.x prior to 6.4.14 or 7.x prior to 7.1.7 is vulnerable when the register_argc_argv php directive is set to 'on' and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.

Note that since the vulnerable Symfony component is embedded in Laravel, the plugin is likely to detect a vulnerable Laravel instance.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7272-1 advisory.

    Soner Sayakci discovered that Symfony incorrectly handled cookie storage in the web cache. An attacker     could possibly use this issue to obtain sensitive information and access unauthorized resources.
    (CVE-2022-24894)

    Marco Squarcina discovered that Symfony incorrectly handled the storage of user session information. An     attacker could possibly use this issue to perform a cross-site request forgery (CSRF) attack.
    (CVE-2022-24895)

    Pierre Rudloff discovered that Symfony incorrectly checked HTML input. An attacker could possibly use this     issue to perform cross site scripting. (CVE-2023-46734)

    Vladimir Dusheyko discovered that Symfony incorrectly sanitized special input with a PHP directive in URL     query strings. An attacker could possibly use this issue to expose sensitive information or cause a denial     of service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-50340)

    Oleg Andreyev, Antoine Makdessi, and Moritz Rauch discovered that Symfony incorrectly handled user     authentication. An attacker could possibly use this issue to access unauthorized resources and expose     sensitive information. This issue was only addressed in Ubuntu 24.04 LTS. (CVE-2024-50341, CVE-2024-51996)

    Linus Karlsson and Chris Smith discovered that Symfony returned internal host information during host     resolution. An attacker could possibly use this issue to obtain sensitive information. This issue only     affected Ubuntu 24.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-50342)

    It was discovered that Symfony incorrectly parsed user input through regular expressions. An attacker     could possibly use this issue to expose sensitive information. (CVE-2024-50343)

    Sam Mush discovered that Symfony incorrectly parsed URIs with special characters. An attacker could     possibly use this issue to perform phishing attacks. (CVE-2024-50345)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5809 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5809-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     November 11, 2024                     https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : symfony     CVE ID         : CVE-2024-50340 CVE-2024-50342 CVE-2024-50343 CVE-2024-50345

    Multiple vulnerabilities have been found in the Symfony PHP framework     which could lead to privilege escalation, information disclosure,     incorrect validation or an open redirect.

    For the stable distribution (bookworm), these problems have been fixed in     version 5.4.23+dfsg-1+deb12u3.

    We recommend that you upgrade your symfony packages.

    For the detailed security status of symfony please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/symfony

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from     global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a     special crafted query string, they are able to change the environment or debug mode used by the kernel     when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the     `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds     for this vulnerability. (CVE-2024-50340)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Published	Updated	Severity
114497	Symfony < 5.4.46 / 6.x < 6.4.14 / 7.x < 7.1.7 Improper Input Handling	Web App Scanning	Component Vulnerability	11/7/2024	11/20/2024	high
216425	Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS : Symfony vulnerabilities (USN-7272-1)	Nessus	Ubuntu Local Security Checks	2/18/2025	2/18/2025	high
210744	Debian dsa-5809 : php-symfony - security update	Nessus	Debian Local Security Checks	11/11/2024	11/11/2024	high
231866	Linux Distros Unpatched Vulnerability : CVE-2024-50340	Nessus	Misc.	3/6/2025	3/6/2025	high

Detections

Analytics

Plugins Search

high

high

high

high