VulnerableCode Vulnerability Details - VCID-up7g-6ewp-uya5

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-up7g-6ewp-uya5

Essentials
Severities (18)
References (13)
Severity details (11)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-up7g-6ewp-uya5
Aliases	CVE-2015-4050 GHSA-qmqw-mpqp-mr54
Summary	Improper Access Control FragmentListener in the HttpKernel component in Symfony, when ESI or SSI support enabled, does not check if the `_controller` attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to `/_fragment`.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-284	Improper Access Control
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	MODERATE	http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159513.html
generic_textual	MODERATE	http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159603.html
generic_textual	MODERATE	http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159610.html
epss	0.76192	https://api.first.org/data/v1/epss?cve=CVE-2015-4050
epss	0.76192	https://api.first.org/data/v1/epss?cve=CVE-2015-4050
epss	0.76192	https://api.first.org/data/v1/epss?cve=CVE-2015-4050
epss	0.76192	https://api.first.org/data/v1/epss?cve=CVE-2015-4050
epss	0.76192	https://api.first.org/data/v1/epss?cve=CVE-2015-4050
epss	0.76192	https://api.first.org/data/v1/epss?cve=CVE-2015-4050
epss	0.76192	https://api.first.org/data/v1/epss?cve=CVE-2015-4050
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-qmqw-mpqp-mr54
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2015-4050.yaml
generic_textual	MODERATE	https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-4050.yaml
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2015-4050
generic_textual	MODERATE	https://symfony.com/cve-2015-4050
generic_textual	MODERATE	https://web.archive.org/web/20200228090443/http://www.securityfocus.com/bid/74928
generic_textual	MODERATE	http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access
generic_textual	MODERATE	http://www.debian.org/security/2015/dsa-3276

Reference id	Reference type	URL
		http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159513.html
		http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159603.html
		http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159610.html
		https://api.first.org/data/v1/epss?cve=CVE-2015-4050
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4050
		https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2015-4050.yaml
		https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-4050.yaml
		https://nvd.nist.gov/vuln/detail/CVE-2015-4050
		https://web.archive.org/web/20200228090443/http://www.securityfocus.com/bid/74928
		http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access
		http://www.debian.org/security/2015/dsa-3276
CVE-2015-4050		https://symfony.com/cve-2015-4050
GHSA-qmqw-mpqp-mr54		https://github.com/advisories/GHSA-qmqw-mpqp-mr54

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.98915
EPSS Score	0.76192
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:46:57.388701+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2015-4050.yml	38.0.0