This site has been archived. To learn more about our current products Ibexa Content, Ibexa Experience, Ibexa Commerce head over to the Ibexa Developer Portal

eZ Community » Security Advisories » EZSA-2018-010: Symfony security...

EZSA-2018-010: Symfony security advisories

Publication date : 10/12/2018
Severity : High
Affected versions : 2.x, 1.13, 1.7, 5.4, all community versions at time of writing (new stack only)
Resolving versions : Symfony 2.7.50, 2.8.49, and 3.4.20

This is to warn you about 2 security advisories recently released by Symfony:

  • CVE-2018-19789: Disclosure of uploaded files full path
  • CVE-2018-19790: Open Redirect Vulnerability when using Security\Http

These are important to patch. Possible dangers include remote code execution, and phishing / account hijacking. You can read more about them here:

We recommend that you install them as soon as possible. They are distribute via Composer. You can update Symfony with the following command:

composer update symfony/symfony

Depending on your version of eZ Platform, you will be on the 2.7, 2.8, or 3.4 branch of Symfony. The issues are fixed in Symfony 2.7.50, 2.8.49, and 3.4.20. Please make sure you are updated to one of these versions, or higher.

If you come across a security issue in our products, here is how you can report it to us:

36 542 Users on board!

Community Project menu

Proudly Developed with from