| 0 |
| url |
VCID-1s54-qwaj-dbg5 |
| vulnerability_id |
VCID-1s54-qwaj-dbg5 |
| summary |
Information Exposure Through Timing Discrepancy
Symfony allows remote attackers to have unspecified impact via a timing attack. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@2.7.7 |
| purl |
pkg:composer/symfony/symfony@2.7.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-59sy-m44r-h3gn |
|
| 1 |
| vulnerability |
VCID-5txj-xsnq-ducf |
|
| 2 |
| vulnerability |
VCID-6bdp-9ng3-uyb1 |
|
| 3 |
| vulnerability |
VCID-7cdk-bmdh-2fde |
|
| 4 |
| vulnerability |
VCID-d4ry-msw9-17gu |
|
| 5 |
| vulnerability |
VCID-d814-yjkr-p3ga |
|
| 6 |
| vulnerability |
VCID-fytq-6ane-hyf7 |
|
| 7 |
| vulnerability |
VCID-g8cq-v4et-cue4 |
|
| 8 |
| vulnerability |
VCID-h377-gc9v-abep |
|
| 9 |
| vulnerability |
VCID-kx25-m1mp-zfay |
|
| 10 |
| vulnerability |
VCID-mbd5-rsax-jya9 |
|
| 11 |
| vulnerability |
VCID-n1c7-yabu-jye7 |
|
| 12 |
| vulnerability |
VCID-n4kq-nskp-1qar |
|
| 13 |
| vulnerability |
VCID-vysf-2cxd-zqe2 |
|
| 14 |
| vulnerability |
VCID-wnu2-cmrt-bkhr |
|
| 15 |
| vulnerability |
VCID-yasp-usps-xkc3 |
|
| 16 |
| vulnerability |
VCID-zmrn-3fbj-gqcm |
|
| 17 |
| vulnerability |
VCID-zqk8-27jq-j7dx |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.7 |
|
|
| aliases |
CVE-2015-8125, GHSA-g97c-jfx6-xvxh
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1s54-qwaj-dbg5 |
|
| 1 |
| url |
VCID-6bdp-9ng3-uyb1 |
| vulnerability_id |
VCID-6bdp-9ng3-uyb1 |
| summary |
Cross-site Scripting
The debug handler in Symfony has an XSS via an array key during exception pretty printing in `ExceptionHandler.php`, as demonstrated by a `/_debugbar/open?op`=get` URI. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@2.7.33 |
| purl |
pkg:composer/symfony/symfony@2.7.33 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-59sy-m44r-h3gn |
|
| 1 |
| vulnerability |
VCID-5txj-xsnq-ducf |
|
| 2 |
| vulnerability |
VCID-7cdk-bmdh-2fde |
|
| 3 |
| vulnerability |
VCID-d814-yjkr-p3ga |
|
| 4 |
| vulnerability |
VCID-fytq-6ane-hyf7 |
|
| 5 |
| vulnerability |
VCID-g8cq-v4et-cue4 |
|
| 6 |
| vulnerability |
VCID-h377-gc9v-abep |
|
| 7 |
| vulnerability |
VCID-kx25-m1mp-zfay |
|
| 8 |
| vulnerability |
VCID-mbd5-rsax-jya9 |
|
| 9 |
| vulnerability |
VCID-n1c7-yabu-jye7 |
|
| 10 |
| vulnerability |
VCID-n4kq-nskp-1qar |
|
| 11 |
| vulnerability |
VCID-vysf-2cxd-zqe2 |
|
| 12 |
| vulnerability |
VCID-wnu2-cmrt-bkhr |
|
| 13 |
| vulnerability |
VCID-yasp-usps-xkc3 |
|
| 14 |
| vulnerability |
VCID-zmrn-3fbj-gqcm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.33 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@2.8.26 |
| purl |
pkg:composer/symfony/symfony@2.8.26 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-59sy-m44r-h3gn |
|
| 1 |
| vulnerability |
VCID-5txj-xsnq-ducf |
|
| 2 |
| vulnerability |
VCID-7cdk-bmdh-2fde |
|
| 3 |
| vulnerability |
VCID-8627-nvyk-w7fu |
|
| 4 |
| vulnerability |
VCID-a9gt-63v3-vbdf |
|
| 5 |
| vulnerability |
VCID-d814-yjkr-p3ga |
|
| 6 |
| vulnerability |
VCID-fytq-6ane-hyf7 |
|
| 7 |
| vulnerability |
VCID-g8cq-v4et-cue4 |
|
| 8 |
| vulnerability |
VCID-kx25-m1mp-zfay |
|
| 9 |
| vulnerability |
VCID-m1y3-csp4-aqe4 |
|
| 10 |
| vulnerability |
VCID-mbd5-rsax-jya9 |
|
| 11 |
| vulnerability |
VCID-n1c7-yabu-jye7 |
|
| 12 |
| vulnerability |
VCID-n4kq-nskp-1qar |
|
| 13 |
| vulnerability |
VCID-tpgm-tx2g-4bh2 |
|
| 14 |
| vulnerability |
VCID-vysf-2cxd-zqe2 |
|
| 15 |
| vulnerability |
VCID-w8s1-z3hu-8beh |
|
| 16 |
| vulnerability |
VCID-wnu2-cmrt-bkhr |
|
| 17 |
| vulnerability |
VCID-yasp-usps-xkc3 |
|
| 18 |
| vulnerability |
VCID-zmrn-3fbj-gqcm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.26 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@3.2.13 |
| purl |
pkg:composer/symfony/symfony@3.2.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-59sy-m44r-h3gn |
|
| 1 |
| vulnerability |
VCID-5txj-xsnq-ducf |
|
| 2 |
| vulnerability |
VCID-7cdk-bmdh-2fde |
|
| 3 |
| vulnerability |
VCID-8627-nvyk-w7fu |
|
| 4 |
| vulnerability |
VCID-a9gt-63v3-vbdf |
|
| 5 |
| vulnerability |
VCID-d814-yjkr-p3ga |
|
| 6 |
| vulnerability |
VCID-fytq-6ane-hyf7 |
|
| 7 |
| vulnerability |
VCID-g8cq-v4et-cue4 |
|
| 8 |
| vulnerability |
VCID-h377-gc9v-abep |
|
| 9 |
| vulnerability |
VCID-kx25-m1mp-zfay |
|
| 10 |
| vulnerability |
VCID-m1y3-csp4-aqe4 |
|
| 11 |
| vulnerability |
VCID-mbd5-rsax-jya9 |
|
| 12 |
| vulnerability |
VCID-n1c7-yabu-jye7 |
|
| 13 |
| vulnerability |
VCID-n4kq-nskp-1qar |
|
| 14 |
| vulnerability |
VCID-tpgm-tx2g-4bh2 |
|
| 15 |
| vulnerability |
VCID-w8s1-z3hu-8beh |
|
| 16 |
| vulnerability |
VCID-wnu2-cmrt-bkhr |
|
| 17 |
| vulnerability |
VCID-x8xk-7pga-33hz |
|
| 18 |
| vulnerability |
VCID-yasp-usps-xkc3 |
|
| 19 |
| vulnerability |
VCID-zmrn-3fbj-gqcm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.13 |
|
| 3 |
| url |
pkg:composer/symfony/symfony@3.3.6 |
| purl |
pkg:composer/symfony/symfony@3.3.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-59sy-m44r-h3gn |
|
| 1 |
| vulnerability |
VCID-5txj-xsnq-ducf |
|
| 2 |
| vulnerability |
VCID-7cdk-bmdh-2fde |
|
| 3 |
| vulnerability |
VCID-8627-nvyk-w7fu |
|
| 4 |
| vulnerability |
VCID-a9gt-63v3-vbdf |
|
| 5 |
| vulnerability |
VCID-d814-yjkr-p3ga |
|
| 6 |
| vulnerability |
VCID-fytq-6ane-hyf7 |
|
| 7 |
| vulnerability |
VCID-g8cq-v4et-cue4 |
|
| 8 |
| vulnerability |
VCID-h377-gc9v-abep |
|
| 9 |
| vulnerability |
VCID-kx25-m1mp-zfay |
|
| 10 |
| vulnerability |
VCID-m1y3-csp4-aqe4 |
|
| 11 |
| vulnerability |
VCID-mbd5-rsax-jya9 |
|
| 12 |
| vulnerability |
VCID-n1c7-yabu-jye7 |
|
| 13 |
| vulnerability |
VCID-n4kq-nskp-1qar |
|
| 14 |
| vulnerability |
VCID-tpgm-tx2g-4bh2 |
|
| 15 |
| vulnerability |
VCID-vysf-2cxd-zqe2 |
|
| 16 |
| vulnerability |
VCID-w8s1-z3hu-8beh |
|
| 17 |
| vulnerability |
VCID-wnu2-cmrt-bkhr |
|
| 18 |
| vulnerability |
VCID-x8xk-7pga-33hz |
|
| 19 |
| vulnerability |
VCID-yasp-usps-xkc3 |
|
| 20 |
| vulnerability |
VCID-zmrn-3fbj-gqcm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.6 |
|
|
| aliases |
CVE-2017-18343
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6bdp-9ng3-uyb1 |
|
| 2 |
| url |
VCID-7cdk-bmdh-2fde |
| vulnerability_id |
VCID-7cdk-bmdh-2fde |
| summary |
Cross-Site Request Forgery (CSRF)
By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the `invalidate_session` option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@3.3.17 |
| purl |
pkg:composer/symfony/symfony@3.3.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-59sy-m44r-h3gn |
|
| 1 |
| vulnerability |
VCID-5txj-xsnq-ducf |
|
| 2 |
| vulnerability |
VCID-7cdk-bmdh-2fde |
|
| 3 |
| vulnerability |
VCID-8627-nvyk-w7fu |
|
| 4 |
| vulnerability |
VCID-a9gt-63v3-vbdf |
|
| 5 |
| vulnerability |
VCID-kx25-m1mp-zfay |
|
| 6 |
| vulnerability |
VCID-m1y3-csp4-aqe4 |
|
| 7 |
| vulnerability |
VCID-mbd5-rsax-jya9 |
|
| 8 |
| vulnerability |
VCID-n1c7-yabu-jye7 |
|
| 9 |
| vulnerability |
VCID-n4kq-nskp-1qar |
|
| 10 |
| vulnerability |
VCID-tpgm-tx2g-4bh2 |
|
| 11 |
| vulnerability |
VCID-vysf-2cxd-zqe2 |
|
| 12 |
| vulnerability |
VCID-w8s1-z3hu-8beh |
|
| 13 |
| vulnerability |
VCID-wnu2-cmrt-bkhr |
|
| 14 |
| vulnerability |
VCID-x8xk-7pga-33hz |
|
| 15 |
| vulnerability |
VCID-yasp-usps-xkc3 |
|
| 16 |
| vulnerability |
VCID-zmrn-3fbj-gqcm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.17 |
|
| 3 |
|
| 4 |
|
|
| aliases |
CVE-2018-11406, GHSA-g4g7-q726-v5hg
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7cdk-bmdh-2fde |
|
| 3 |
| url |
VCID-d4ry-msw9-17gu |
| vulnerability_id |
VCID-d4ry-msw9-17gu |
| summary |
Cryptographic Issues
The `nextBytes` function in the `SecureRandom` class in Symfony does not properly generate random numbers when used with PHP without the `paragonie/random_compat` library and the `openssl_random_pseudo_bytes` function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@2.7.9 |
| purl |
pkg:composer/symfony/symfony@2.7.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-59sy-m44r-h3gn |
|
| 1 |
| vulnerability |
VCID-5txj-xsnq-ducf |
|
| 2 |
| vulnerability |
VCID-6bdp-9ng3-uyb1 |
|
| 3 |
| vulnerability |
VCID-7cdk-bmdh-2fde |
|
| 4 |
| vulnerability |
VCID-d814-yjkr-p3ga |
|
| 5 |
| vulnerability |
VCID-fytq-6ane-hyf7 |
|
| 6 |
| vulnerability |
VCID-g8cq-v4et-cue4 |
|
| 7 |
| vulnerability |
VCID-h377-gc9v-abep |
|
| 8 |
| vulnerability |
VCID-kx25-m1mp-zfay |
|
| 9 |
| vulnerability |
VCID-mbd5-rsax-jya9 |
|
| 10 |
| vulnerability |
VCID-n1c7-yabu-jye7 |
|
| 11 |
| vulnerability |
VCID-n4kq-nskp-1qar |
|
| 12 |
| vulnerability |
VCID-vysf-2cxd-zqe2 |
|
| 13 |
| vulnerability |
VCID-wnu2-cmrt-bkhr |
|
| 14 |
| vulnerability |
VCID-yasp-usps-xkc3 |
|
| 15 |
| vulnerability |
VCID-zmrn-3fbj-gqcm |
|
| 16 |
| vulnerability |
VCID-zqk8-27jq-j7dx |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.9 |
|
|
| aliases |
CVE-2016-1902, GHSA-jjx5-fq5g-8xpc
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d4ry-msw9-17gu |
|
| 4 |
| url |
VCID-epe4-cnhd-zyef |
| vulnerability_id |
VCID-epe4-cnhd-zyef |
| summary |
Esi Code Injection
Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache` class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2015-2308, GHSA-5c58-w9xc-qcj9
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-epe4-cnhd-zyef |
|
| 5 |
| url |
VCID-kx25-m1mp-zfay |
| vulnerability_id |
VCID-kx25-m1mp-zfay |
| summary |
Insufficient Session Expiration
The `PDOSessionHandler` class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@3.3.17 |
| purl |
pkg:composer/symfony/symfony@3.3.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-59sy-m44r-h3gn |
|
| 1 |
| vulnerability |
VCID-5txj-xsnq-ducf |
|
| 2 |
| vulnerability |
VCID-7cdk-bmdh-2fde |
|
| 3 |
| vulnerability |
VCID-8627-nvyk-w7fu |
|
| 4 |
| vulnerability |
VCID-a9gt-63v3-vbdf |
|
| 5 |
| vulnerability |
VCID-kx25-m1mp-zfay |
|
| 6 |
| vulnerability |
VCID-m1y3-csp4-aqe4 |
|
| 7 |
| vulnerability |
VCID-mbd5-rsax-jya9 |
|
| 8 |
| vulnerability |
VCID-n1c7-yabu-jye7 |
|
| 9 |
| vulnerability |
VCID-n4kq-nskp-1qar |
|
| 10 |
| vulnerability |
VCID-tpgm-tx2g-4bh2 |
|
| 11 |
| vulnerability |
VCID-vysf-2cxd-zqe2 |
|
| 12 |
| vulnerability |
VCID-w8s1-z3hu-8beh |
|
| 13 |
| vulnerability |
VCID-wnu2-cmrt-bkhr |
|
| 14 |
| vulnerability |
VCID-x8xk-7pga-33hz |
|
| 15 |
| vulnerability |
VCID-yasp-usps-xkc3 |
|
| 16 |
| vulnerability |
VCID-zmrn-3fbj-gqcm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.17 |
|
| 3 |
|
| 4 |
|
|
| aliases |
CVE-2018-11386, GHSA-r2rq-3h56-fqm4
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kx25-m1mp-zfay |
|
| 6 |
|
| 7 |
| url |
VCID-n4kq-nskp-1qar |
| vulnerability_id |
VCID-n4kq-nskp-1qar |
| summary |
Session Fixation
A session fixation vulnerability within the `Guard` login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@3.3.17 |
| purl |
pkg:composer/symfony/symfony@3.3.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-59sy-m44r-h3gn |
|
| 1 |
| vulnerability |
VCID-5txj-xsnq-ducf |
|
| 2 |
| vulnerability |
VCID-7cdk-bmdh-2fde |
|
| 3 |
| vulnerability |
VCID-8627-nvyk-w7fu |
|
| 4 |
| vulnerability |
VCID-a9gt-63v3-vbdf |
|
| 5 |
| vulnerability |
VCID-kx25-m1mp-zfay |
|
| 6 |
| vulnerability |
VCID-m1y3-csp4-aqe4 |
|
| 7 |
| vulnerability |
VCID-mbd5-rsax-jya9 |
|
| 8 |
| vulnerability |
VCID-n1c7-yabu-jye7 |
|
| 9 |
| vulnerability |
VCID-n4kq-nskp-1qar |
|
| 10 |
| vulnerability |
VCID-tpgm-tx2g-4bh2 |
|
| 11 |
| vulnerability |
VCID-vysf-2cxd-zqe2 |
|
| 12 |
| vulnerability |
VCID-w8s1-z3hu-8beh |
|
| 13 |
| vulnerability |
VCID-wnu2-cmrt-bkhr |
|
| 14 |
| vulnerability |
VCID-x8xk-7pga-33hz |
|
| 15 |
| vulnerability |
VCID-yasp-usps-xkc3 |
|
| 16 |
| vulnerability |
VCID-zmrn-3fbj-gqcm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.17 |
|
| 3 |
|
| 4 |
|
|
| aliases |
CVE-2018-11385, GHSA-g4rg-rw65-8hfg
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n4kq-nskp-1qar |
|
| 8 |
| url |
VCID-s3xz-n4w1-ekd2 |
| vulnerability_id |
VCID-s3xz-n4w1-ekd2 |
| summary |
Improper Access Control
FragmentListener in the HttpKernel component in Symfony, when ESI or SSI support enabled, does not check if the `_controller` attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to `/_fragment`. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@2.5.0 |
| purl |
pkg:composer/symfony/symfony@2.5.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1s54-qwaj-dbg5 |
|
| 1 |
| vulnerability |
VCID-6bdp-9ng3-uyb1 |
|
| 2 |
| vulnerability |
VCID-7cdk-bmdh-2fde |
|
| 3 |
| vulnerability |
VCID-b9mr-r4x1-pkds |
|
| 4 |
| vulnerability |
VCID-bdna-y2w5-afe7 |
|
| 5 |
| vulnerability |
VCID-d4ry-msw9-17gu |
|
| 6 |
| vulnerability |
VCID-epe4-cnhd-zyef |
|
| 7 |
| vulnerability |
VCID-hkeu-kzf7-67e6 |
|
| 8 |
| vulnerability |
VCID-kx25-m1mp-zfay |
|
| 9 |
| vulnerability |
VCID-mbd5-rsax-jya9 |
|
| 10 |
| vulnerability |
VCID-n4kq-nskp-1qar |
|
| 11 |
| vulnerability |
VCID-ntme-svm1-5qd9 |
|
| 12 |
| vulnerability |
VCID-qcad-rrwa-5uht |
|
| 13 |
| vulnerability |
VCID-vmr4-cut4-2fe6 |
|
| 14 |
| vulnerability |
VCID-vnku-f414-dyh9 |
|
| 15 |
| vulnerability |
VCID-wnu2-cmrt-bkhr |
|
| 16 |
| vulnerability |
VCID-yasp-usps-xkc3 |
|
| 17 |
| vulnerability |
VCID-zqk8-27jq-j7dx |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.5.0 |
|
| 1 |
|
| 2 |
|
|
| aliases |
CVE-2015-4050, GHSA-qmqw-mpqp-mr54
|
| risk_score |
0.3 |
| exploitability |
0.5 |
| weighted_severity |
0.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s3xz-n4w1-ekd2 |
|
| 9 |
| url |
VCID-vmr4-cut4-2fe6 |
| vulnerability_id |
VCID-vmr4-cut4-2fe6 |
| summary |
Session Fixation
Session fixation vulnerability in the `Remember Me` login feature in Symfony allows remote attackers to hijack web sessions via a session id. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@2.7.7 |
| purl |
pkg:composer/symfony/symfony@2.7.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-59sy-m44r-h3gn |
|
| 1 |
| vulnerability |
VCID-5txj-xsnq-ducf |
|
| 2 |
| vulnerability |
VCID-6bdp-9ng3-uyb1 |
|
| 3 |
| vulnerability |
VCID-7cdk-bmdh-2fde |
|
| 4 |
| vulnerability |
VCID-d4ry-msw9-17gu |
|
| 5 |
| vulnerability |
VCID-d814-yjkr-p3ga |
|
| 6 |
| vulnerability |
VCID-fytq-6ane-hyf7 |
|
| 7 |
| vulnerability |
VCID-g8cq-v4et-cue4 |
|
| 8 |
| vulnerability |
VCID-h377-gc9v-abep |
|
| 9 |
| vulnerability |
VCID-kx25-m1mp-zfay |
|
| 10 |
| vulnerability |
VCID-mbd5-rsax-jya9 |
|
| 11 |
| vulnerability |
VCID-n1c7-yabu-jye7 |
|
| 12 |
| vulnerability |
VCID-n4kq-nskp-1qar |
|
| 13 |
| vulnerability |
VCID-vysf-2cxd-zqe2 |
|
| 14 |
| vulnerability |
VCID-wnu2-cmrt-bkhr |
|
| 15 |
| vulnerability |
VCID-yasp-usps-xkc3 |
|
| 16 |
| vulnerability |
VCID-zmrn-3fbj-gqcm |
|
| 17 |
| vulnerability |
VCID-zqk8-27jq-j7dx |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.7 |
|
|
| aliases |
CVE-2015-8124, GHSA-j5jh-hpr4-h332
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vmr4-cut4-2fe6 |
|
| 10 |
| url |
VCID-vnku-f414-dyh9 |
| vulnerability_id |
VCID-vnku-f414-dyh9 |
| summary |
Unsafe methods in the Request class
The `Symfony\Component\HttpFoundation\Request` class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. The following methods are impacted: `getPort()`, `isSecure()`, `getHost()` and `getClientIps()`. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2015-2309, GHSA-p684-f7fh-jv2j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vnku-f414-dyh9 |
|
| 11 |
|
| 12 |
|
| 13 |
| url |
VCID-zqk8-27jq-j7dx |
| vulnerability_id |
VCID-zqk8-27jq-j7dx |
| summary |
CVE-2016-4423: Large username storage in session
The attemptAuthentication function in `Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php` does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@2.7.13 |
| purl |
pkg:composer/symfony/symfony@2.7.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-59sy-m44r-h3gn |
|
| 1 |
| vulnerability |
VCID-5txj-xsnq-ducf |
|
| 2 |
| vulnerability |
VCID-6bdp-9ng3-uyb1 |
|
| 3 |
| vulnerability |
VCID-7cdk-bmdh-2fde |
|
| 4 |
| vulnerability |
VCID-d814-yjkr-p3ga |
|
| 5 |
| vulnerability |
VCID-fytq-6ane-hyf7 |
|
| 6 |
| vulnerability |
VCID-g8cq-v4et-cue4 |
|
| 7 |
| vulnerability |
VCID-h377-gc9v-abep |
|
| 8 |
| vulnerability |
VCID-kx25-m1mp-zfay |
|
| 9 |
| vulnerability |
VCID-mbd5-rsax-jya9 |
|
| 10 |
| vulnerability |
VCID-n1c7-yabu-jye7 |
|
| 11 |
| vulnerability |
VCID-n4kq-nskp-1qar |
|
| 12 |
| vulnerability |
VCID-vysf-2cxd-zqe2 |
|
| 13 |
| vulnerability |
VCID-wnu2-cmrt-bkhr |
|
| 14 |
| vulnerability |
VCID-yasp-usps-xkc3 |
|
| 15 |
| vulnerability |
VCID-zmrn-3fbj-gqcm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.13 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@2.8.6 |
| purl |
pkg:composer/symfony/symfony@2.8.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-59sy-m44r-h3gn |
|
| 1 |
| vulnerability |
VCID-5txj-xsnq-ducf |
|
| 2 |
| vulnerability |
VCID-6bdp-9ng3-uyb1 |
|
| 3 |
| vulnerability |
VCID-7cdk-bmdh-2fde |
|
| 4 |
| vulnerability |
VCID-8627-nvyk-w7fu |
|
| 5 |
| vulnerability |
VCID-a9gt-63v3-vbdf |
|
| 6 |
| vulnerability |
VCID-d814-yjkr-p3ga |
|
| 7 |
| vulnerability |
VCID-fytq-6ane-hyf7 |
|
| 8 |
| vulnerability |
VCID-g8cq-v4et-cue4 |
|
| 9 |
| vulnerability |
VCID-kx25-m1mp-zfay |
|
| 10 |
| vulnerability |
VCID-m1y3-csp4-aqe4 |
|
| 11 |
| vulnerability |
VCID-mbd5-rsax-jya9 |
|
| 12 |
| vulnerability |
VCID-n1c7-yabu-jye7 |
|
| 13 |
| vulnerability |
VCID-n4kq-nskp-1qar |
|
| 14 |
| vulnerability |
VCID-tpgm-tx2g-4bh2 |
|
| 15 |
| vulnerability |
VCID-vysf-2cxd-zqe2 |
|
| 16 |
| vulnerability |
VCID-w8s1-z3hu-8beh |
|
| 17 |
| vulnerability |
VCID-wnu2-cmrt-bkhr |
|
| 18 |
| vulnerability |
VCID-yasp-usps-xkc3 |
|
| 19 |
| vulnerability |
VCID-zmrn-3fbj-gqcm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.6 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@3.0.6 |
| purl |
pkg:composer/symfony/symfony@3.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-59sy-m44r-h3gn |
|
| 1 |
| vulnerability |
VCID-5txj-xsnq-ducf |
|
| 2 |
| vulnerability |
VCID-6bdp-9ng3-uyb1 |
|
| 3 |
| vulnerability |
VCID-7cdk-bmdh-2fde |
|
| 4 |
| vulnerability |
VCID-8627-nvyk-w7fu |
|
| 5 |
| vulnerability |
VCID-a9gt-63v3-vbdf |
|
| 6 |
| vulnerability |
VCID-kx25-m1mp-zfay |
|
| 7 |
| vulnerability |
VCID-m1y3-csp4-aqe4 |
|
| 8 |
| vulnerability |
VCID-mbd5-rsax-jya9 |
|
| 9 |
| vulnerability |
VCID-n1c7-yabu-jye7 |
|
| 10 |
| vulnerability |
VCID-n4kq-nskp-1qar |
|
| 11 |
| vulnerability |
VCID-tpgm-tx2g-4bh2 |
|
| 12 |
| vulnerability |
VCID-w8s1-z3hu-8beh |
|
| 13 |
| vulnerability |
VCID-wnu2-cmrt-bkhr |
|
| 14 |
| vulnerability |
VCID-yasp-usps-xkc3 |
|
| 15 |
| vulnerability |
VCID-zmrn-3fbj-gqcm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.0.6 |
|
|
| aliases |
CVE-2016-4423, GHSA-whgv-8cg3-7hcm
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zqk8-27jq-j7dx |
|