CVE-2017-5541 Getsymphony CVE debrief

Who should care

Administrators, maintainers, and hosting teams running Symphony CMS 2.6.9 or earlier should review this issue, especially where the affected template path and file-management workflows are reachable from untrusted users.

Technical summary

NVD classifies the weakness as CWE-22 (Path Traversal) with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerable component is template/usererror.missing_extension.php, and the reported attack condition is use of .. sequences in the existing-folder and new-folder parameters to manipulate filesystem path handling during rename operations. The documented impact is integrity-only at low severity, and the vulnerable version range ends at 2.6.9; 2.6.10 is the referenced fixed release.

Defensive priority

Medium. The issue is network-reachable and requires no privileges or user interaction, but the documented impact is limited to low integrity impact rather than full compromise.

Recommended defensive actions

• Upgrade Symphony CMS to 2.6.10 or later as referenced by the vendor release notes.
• Inventory deployments to confirm whether any instances are still on 2.6.9 or earlier.
• Review file-rename and folder-handling code paths for path normalization and traversal checks.
• Restrict access to administrative or file-management features to trusted users only.
• Monitor application logs for unexpected rename activity or anomalous path inputs.
• Validate backups and recovery procedures before applying the update.

Evidence notes

The supplied NVD metadata states the vulnerability is in Symphony CMS (cpe:2.3:a:getsymphony:symphony) through version 2.6.9, uses CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, and maps to CWE-22. The referenced corpus includes a Symphony CMS issue record and the 2.6.10 release notes, which are consistent with remediation in that release. CVE publishedAt is 2017-01-20T08:59:00.470Z; modifiedAt is 2026-05-13T00:24:29.033Z.

Official resources