Search for vulnerabilities
Vulnerability details: VCID-qwxg-bwq5-57gq
Vulnerability ID VCID-qwxg-bwq5-57gq
Aliases CVE-2015-2308
GHSA-5c58-w9xc-qcj9
Summary Symfony Vulnerable to PHP Eval Injection Applications with ESI support (and SSI support as of Symfony 2.6) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server. HttpCache uses eval() to execute files in its cache when they contain ESI tags (and only when ESI is enabled). The vulnerability comes from the fact that PHP allows contents of <script language="php"> tags to be executed (and this kind of PHP tags is always available regardless of the configuration), but there were not escaped before the evaluation. A possible exploit comes from websites also vulnerable to Cross-Site Scripting as an attacker can successfully conduct a PHP code injection attack by passing such a tag in a user submitted variable (for which proper output escaping was not applied).
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual MODERATE http://jvndb.jvn.jp/jvndb/JVNDB-2015-000089
generic_textual MODERATE http://jvn.jp/en/jp/JVN19578958/index.html
epss 0.00543 https://api.first.org/data/v1/epss?cve=CVE-2015-2308
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2015-2308.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-2308.yaml
generic_textual MODERATE https://github.com/symfony/symfony
generic_textual MODERATE https://github.com/symfony/symfony/pull/14167/commits/195c57e1f50765aff33137689b16e126a689056a
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2015-2308
generic_textual MODERATE https://symfony.com/blog/cve-2015-2308-esi-code-injection
generic_textual MODERATE https://symfony.com/cve-2015-2308
generic_textual MODERATE https://web.archive.org/web/20200228084751/http://www.securityfocus.com/bid/75357
Reference id Reference type URL
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000089
http://jvn.jp/en/jp/JVN19578958/index.html
https://api.first.org/data/v1/epss?cve=CVE-2015-2308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2308
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2015-2308.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-2308.yaml
https://github.com/symfony/symfony
https://github.com/symfony/symfony/pull/14167/commits/195c57e1f50765aff33137689b16e126a689056a
https://nvd.nist.gov/vuln/detail/CVE-2015-2308
https://symfony.com/blog/cve-2015-2308-esi-code-injection
https://symfony.com/cve-2015-2308
https://web.archive.org/web/20200228084751/http://www.securityfocus.com/bid/75357
CVE-2015-2308-ESI-CODE-INJECTION http://symfony.com/blog/cve-2015-2308-esi-code-injection
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.66692
EPSS Score 0.00543
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:29:07.782753+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5c58-w9xc-qcj9/GHSA-5c58-w9xc-qcj9.json 36.1.3