In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
https://www.synology.com/security/advisory/Synology_SA_19_19
https://www.drupal.org/sa-core-2019-005
https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2
https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine
Source: Mitre, NVD
Published: 2019-05-16
Updated: 2021-04-20
Base Score: 3.5
Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N
Severity: Low
Base Score: 5.4
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity: Medium
EPSS: 0.00778