CVE-2017-5542 Getsymphony CVE debrief

Who should care

Operators and maintainers of Symphony CMS instances at version 2.6.9 or earlier, especially internet-facing deployments and teams responsible for content-editing workflows or admin interfaces where user interaction could trigger rendered HTML or script.

Technical summary

The NVD record describes a reflected or rendered XSS condition in Symphony CMS's missing-extension error template. User-controlled input from the existing-folder parameter can reach output in template/usererror.missing_extension.php without adequate escaping, enabling script or HTML injection. NVD maps the issue to CWE-79 and lists the affected CPE range as Symphony versions up to and including 2.6.9, with the fix available in 2.6.10.

Defensive priority

Medium. The issue requires user interaction, but it is network-reachable and can affect confidentiality and integrity in the browser context. Prioritize remediation for public-facing or heavily used CMS deployments.

Recommended defensive actions

• Upgrade Symphony CMS to version 2.6.10 or later.
• Inventory all Symphony CMS deployments and confirm no instances remain on 2.6.9 or earlier.
• Review any customizations around template/usererror.missing_extension.php and verify they preserve output escaping.
• Treat the existing-folder parameter as attacker-controlled input and ensure it is safely encoded before rendering.
• If immediate upgrade is not possible, reduce exposure to untrusted users and monitor for anomalous HTML or script injection attempts in affected error paths.

Evidence notes

This debrief is based on the official NVD record and the linked vendor references. The NVD metadata explicitly lists CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, CWE-79, and vulnerable versions ending at 2.6.9. The provided references include the Symphony CMS issue tracker entry and the 2.6.10 release notes, which indicate the remediation path. No KEV listing was provided for this CVE.

Official resources