In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-10913.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10913.yaml
github.com/symfony/symfony/commit/944e60f083c3bffbc6a0b5112db127a10a66a8ec
nvd.nist.gov/vuln/detail/CVE-2019-10913
symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides
symfony.com/cve-2019-10913