Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/symfony/form@2.7.0-alpha0
Typecomposer
Namespacesymfony
Nameform
Version2.7.0-alpha0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.0.0-BETA1
Latest_non_vulnerable_version6.3.0-BETA1
Affected_by_vulnerabilities
0
url VCID-hxhq-zdyu-dudz
vulnerability_id VCID-hxhq-zdyu-dudz
summary 
Attacker can read all files content on the server
When a form is submitted by the user, the request handler classes of the Form component merge POST data (known as the `$_POST` array in plain PHP) and uploaded files data (known as the `$_FILES` array in plain PHP) into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a `FileType` is sent as normal `POST` data that could be interpreted as a locale file path on the server-side (for example, `file:///etc/passwd`). If the application did not perform any additional checks about the value submitted to the `FileType`, the contents of the given file on the server could have been exposed to the attacker.
references
0
reference_url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790
reference_id
reference_type
scores
url http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-16790
reference_id
reference_type
scores
0
value 0.00686
scoring_system epss
scoring_elements 0.71741
published_at 2026-04-18T12:55:00Z
1
value 0.00686
scoring_system epss
scoring_elements 0.71772
published_at 2026-04-24T12:55:00Z
2
value 0.00686
scoring_system epss
scoring_elements 0.71723
published_at 2026-04-21T12:55:00Z
3
value 0.00686
scoring_system epss
scoring_elements 0.71654
published_at 2026-04-01T12:55:00Z
4
value 0.00686
scoring_system epss
scoring_elements 0.7166
published_at 2026-04-02T12:55:00Z
5
value 0.00686
scoring_system epss
scoring_elements 0.71678
published_at 2026-04-04T12:55:00Z
6
value 0.00686
scoring_system epss
scoring_elements 0.71651
published_at 2026-04-07T12:55:00Z
7
value 0.00686
scoring_system epss
scoring_elements 0.71691
published_at 2026-04-13T12:55:00Z
8
value 0.00686
scoring_system epss
scoring_elements 0.71702
published_at 2026-04-09T12:55:00Z
9
value 0.00686
scoring_system epss
scoring_elements 0.71726
published_at 2026-04-11T12:55:00Z
10
value 0.00686
scoring_system epss
scoring_elements 0.71709
published_at 2026-04-12T12:55:00Z
11
value 0.00686
scoring_system epss
scoring_elements 0.71735
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-16790
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2403
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2403
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11385
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11385
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11386
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11386
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11406
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11406
10
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/form/CVE-2017-16790.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/form/CVE-2017-16790.yaml
11
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16790.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16790.yaml
12
reference_url https://github.com/symfony/form
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/form
13
reference_url https://github.com/symfony/symfony/pull/24993
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony/pull/24993
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-16790
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-16790
15
reference_url https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files
16
reference_url https://symfony.com/cve-2017-16790
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2017-16790
17
reference_url https://www.debian.org/security/2018/dsa-4262
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2018/dsa-4262
18
reference_url http://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files
reference_id CVE-2017-16790-ENSURE-THAT-SUBMITTED-DATA-ARE-UPLOADED-FILES
reference_type
scores
url http://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files
19
reference_url https://github.com/advisories/GHSA-cqqh-94r6-wjrg
reference_id GHSA-cqqh-94r6-wjrg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cqqh-94r6-wjrg
fixed_packages
0
url pkg:composer/symfony/form@2.7.38
purl pkg:composer/symfony/form@2.7.38
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27sw-43vt-ukh3
1
vulnerability VCID-qwcj-hq3g-2qd7
2
vulnerability VCID-rgh3-ef8t-k3ec
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@2.7.38
1
url pkg:composer/symfony/form@2.8.31
purl pkg:composer/symfony/form@2.8.31
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27sw-43vt-ukh3
1
vulnerability VCID-e71e-d4tr-wqgz
2
vulnerability VCID-qwcj-hq3g-2qd7
3
vulnerability VCID-rgh3-ef8t-k3ec
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@2.8.31
2
url pkg:composer/symfony/form@3.2.14
purl pkg:composer/symfony/form@3.2.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27sw-43vt-ukh3
1
vulnerability VCID-e71e-d4tr-wqgz
2
vulnerability VCID-qwcj-hq3g-2qd7
3
vulnerability VCID-rgh3-ef8t-k3ec
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@3.2.14
3
url pkg:composer/symfony/form@3.3.13
purl pkg:composer/symfony/form@3.3.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27sw-43vt-ukh3
1
vulnerability VCID-e71e-d4tr-wqgz
2
vulnerability VCID-qwcj-hq3g-2qd7
3
vulnerability VCID-rgh3-ef8t-k3ec
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@3.3.13
4
url pkg:composer/symfony/form@3.4.0-BETA5
purl pkg:composer/symfony/form@3.4.0-BETA5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@3.4.0-BETA5
5
url pkg:composer/symfony/form@4.0.0-BETA5
purl pkg:composer/symfony/form@4.0.0-BETA5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@4.0.0-BETA5
aliases CVE-2017-16790, GHSA-cqqh-94r6-wjrg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hxhq-zdyu-dudz
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/symfony/form@2.7.0-alpha0