Jakub Zalas discovered that Symfony, a framework to create websites and
web applications, was vulnerable to restriction bypass. It was
affecting applications with ESI or SSI support enabled, that use the
FragmentListener. A malicious user could call any controller via the
/_fragment path by providing an invalid hash in the URL (or removing
it), bypassing URL signing and security rules.