CVE-2024-28861 - Vulnerability Details - OpenCVE

Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Starting in version 1.1.0 and prior to version 1.5.19, Symfony 1 has a gadget chain due to dangerous deserialization in `sfNamespacedParameterHolder` class that would enable an attacker to get remote code execution if a developer deserializes user input in their project. Version 1.5.19 contains a patch for the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Friendsofsymfony1	Symfony1

Configuration 1 [-]

cpe:2.3:a:friendsofsymfony1:symfony1:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171a
https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433

History

Fri, 05 Dec 2025 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Friendsofsymfony1 Friendsofsymfony1 symfony1
CPEs		cpe:2.3:a:friendsofsymfony1:symfony1::::::::
Vendors & Products		Friendsofsymfony1 Friendsofsymfony1 symfony1

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-22T16:43:18.453Z

Updated: 2024-08-20T20:33:11.104Z

Reserved: 2024-03-11T22:45:07.686Z

Link: CVE-2024-28861

Vulnrichment

Updated: 2024-08-02T00:56:58.132Z

NVD

Status : Analyzed

Published: 2024-03-22T17:15:07.770

Modified: 2025-12-05T19:59:09.477

Link: CVE-2024-28861

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28861", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-11T22:45:07.686Z", "datePublished": "2024-03-22T16:43:18.453Z", "dateUpdated": "2024-08-20T20:33:11.104Z"}, "containers": {"cna": {"title": "Gadget chain in Symfony 1 due to uncontrolled unserialized input in sfNamespacedParameterHolder", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433"}, {"name": "https://github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171a", "tags": ["x_refsource_MISC"], "url": "https://github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171a"}], "affected": [{"vendor": "FriendsOfSymfony1", "product": "symfony1", "versions": [{"version": ">= 1.1.0, < 1.5.19", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-22T16:43:18.453Z"}, "descriptions": [{"lang": "en", "value": "Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Starting in version 1.1.0 and prior to version 1.5.19, Symfony 1 has a gadget chain due to dangerous deserialization in `sfNamespacedParameterHolder` class that would enable an attacker to get remote code execution if a developer deserializes user input in their project. Version 1.5.19 contains a patch for the issue."}], "source": {"advisory": "GHSA-pv9j-c53q-h433", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:56:58.132Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433"}, {"name": "https://github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171a", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171a"}]}, {"affected": [{"vendor": "friends_of_symfony_project", "product": "fosuserbundle", "cpes": ["cpe:2.3:a:friends_of_symfony_project:fosuserbundle:*:-:-:*:-:symfony:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.1.0", "status": "affected", "lessThan": "1.5.19", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-25T19:21:39.440512Z", "id": "CVE-2024-28861", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-20T20:33:11.104Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433", "name": "https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171a", "name": "https://github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171a", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:56:58.132Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28861", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-25T19:21:39.440512Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:friends_of_symfony_project:fosuserbundle:*:-:-:*:-:symfony:*:*"], "vendor": "friends_of_symfony_project", "product": "fosuserbundle", "versions": [{"status": "affected", "version": "1.1.0", "lessThan": "1.5.19", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-20T20:33:05.752Z"}}], "cna": {"title": "Gadget chain in Symfony 1 due to uncontrolled unserialized input in sfNamespacedParameterHolder", "source": {"advisory": "GHSA-pv9j-c53q-h433", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "FriendsOfSymfony1", "product": "symfony1", "versions": [{"status": "affected", "version": ">= 1.1.0, < 1.5.19"}]}], "references": [{"url": "https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433", "name": "https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171a", "name": "https://github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Starting in version 1.1.0 and prior to version 1.5.19, Symfony 1 has a gadget chain due to dangerous deserialization in `sfNamespacedParameterHolder` class that would enable an attacker to get remote code execution if a developer deserializes user input in their project. Version 1.5.19 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-22T16:43:18.453Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28861", "state": "PUBLISHED", "dateUpdated": "2024-08-20T20:33:11.104Z", "dateReserved": "2024-03-11T22:45:07.686Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-22T16:43:18.453Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:friendsofsymfony1:symfony1:*:*:*:*:*:*:*:*", "matchCriteriaId": "092DD8C8-8109-4D40-8313-AB50AFF98A98", "versionEndExcluding": "1.5.9", "versionStartIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Starting in version 1.1.0 and prior to version 1.5.19, Symfony 1 has a gadget chain due to dangerous deserialization in `sfNamespacedParameterHolder` class that would enable an attacker to get remote code execution if a developer deserializes user input in their project. Version 1.5.19 contains a patch for the issue."}, {"lang": "es", "value": "Symfony 1 es una bifurcaci\u00f3n impulsada por la comunidad de la rama 1.x de Symfony, un framework PHP para proyectos web. A partir de la versi\u00f3n 1.1.0 y antes de la versi\u00f3n 1.5.19, Symfony 1 tiene una cadena de gadgets debido a una deserializaci\u00f3n peligrosa en la clase `sfNamespacedParameterHolder` que permitir\u00eda a un atacante obtener la ejecuci\u00f3n remota de c\u00f3digo si un desarrollador deserializa la entrada del usuario en su proyecto. La versi\u00f3n 1.5.19 contiene un parche para el problema."}], "id": "CVE-2024-28861", "lastModified": "2025-12-05T19:59:09.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-22T17:15:07.770", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171a"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit", "Mitigation"], "url": "https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/FriendsOfSymfony1/symfony1/commit/0bd9d59c69221f49bfc8be8b871b79e12d7d171a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory", "Exploit", "Mitigation"], "url": "https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Secondary"}]}