CVE-2015-2308 - Daughterly Mafia

Description

Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27 2.4.x and 2.5.x before 2.5.11 and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language=\php\ attribute of a SCRIPT element.

Reference

http://jvndb.jvn.jp/jvndb/JVNDB-2015-000089 http://jvn.jp/en/jp/JVN19578958/index.html https://symfony.com/blog/cve-2015-2308-esi-code-injection http://www.securityfocus.com/bid/75357