← All CVEs
CVE-2015-4050MEDIUM · 4.3Long-tail
CVE-2015-4050
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.
Disclosed
2015-06-02
4025 days ago
Still scanned
11 years later
ongoing background-scan activity
7-day events
0
across 0 distinct IPs
7-day spread
0 ASN · 0 cty
0 active days
In-the-wild assessment
Some activity observed but below the in-the-wild threshold. Last 7 days: 0/5 IPs, 0/3 ASNs, 0/3 countries, 0/2 active days. Likely a researcher PoC or single campaign rather than wide exploitation.
Daily events · last 365 days
2025-06-11peak 1 · total 12026-06-10
Top ASNs
No events captured yet.
Top countries
No events captured yet.
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159513.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159603.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159610.html
- http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access
- http://www.debian.org/security/2015/dsa-3276
- http://www.securityfocus.com/bid/74928
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159513.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159603.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159610.html
- http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access
- http://www.debian.org/security/2015/dsa-3276
- http://www.securityfocus.com/bid/74928