| 0 |
| url |
VCID-15tu-dfam-yqgh |
| vulnerability_id |
VCID-15tu-dfam-yqgh |
| summary |
Cross-Site Request Forgery (CSRF)
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2022-23601, GHSA-vvmr-8829-6whx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-15tu-dfam-yqgh |
|
| 1 |
| url |
VCID-1y96-v19f-tkgg |
| vulnerability_id |
VCID-1y96-v19f-tkgg |
| summary |
Improper Input Validation
An issue was discovered in `HttpKernel` in Symfony When using `HttpCache`, the values of the `X-Forwarded-Host` headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@4.0.14 |
| purl |
pkg:composer/symfony/symfony@4.0.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 9 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 10 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 11 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 12 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 13 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 14 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 15 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 16 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 17 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 18 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 19 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.14 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@4.1.3 |
| purl |
pkg:composer/symfony/symfony@4.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 9 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 10 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 11 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 12 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 13 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 14 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 15 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 16 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 17 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 18 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 19 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 20 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 21 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.3 |
|
|
| aliases |
CVE-2018-14774, GHSA-66p6-7p29-55p9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1y96-v19f-tkgg |
|
| 2 |
| url |
VCID-23hr-yznx-c3fb |
| vulnerability_id |
VCID-23hr-yznx-c3fb |
| summary |
Improper Authentication
In Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@4.1.12 |
| purl |
pkg:composer/symfony/symfony@4.1.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 9 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 10 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 11 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 12 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 13 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 14 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 15 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 16 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 17 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 18 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.12 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@4.2.7 |
| purl |
pkg:composer/symfony/symfony@4.2.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 3 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 4 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 5 |
| vulnerability |
VCID-9m8x-djng-8ye3 |
|
| 6 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 7 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 8 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 9 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 10 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 11 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 12 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 13 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 14 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 15 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.7 |
|
|
| aliases |
CVE-2019-10911, GHSA-cchx-mfrc-fwqr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-23hr-yznx-c3fb |
|
| 3 |
| url |
VCID-37et-21qw-skd7 |
| vulnerability_id |
VCID-37et-21qw-skd7 |
| summary |
Improper Input Validation
If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-18888, GHSA-xhh6-956q-4q69
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-37et-21qw-skd7 |
|
| 4 |
| url |
VCID-3kvp-hnpd-gbcq |
| vulnerability_id |
VCID-3kvp-hnpd-gbcq |
| summary |
Injection Vulnerability
An issue was discovered in Symfony. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-18889, GHSA-79gr-58r3-pwm3
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3kvp-hnpd-gbcq |
|
| 5 |
| url |
VCID-4f9e-eg67-cqbr |
| vulnerability_id |
VCID-4f9e-eg67-cqbr |
| summary |
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-46734, GHSA-q847-2q57-wmr3
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4f9e-eg67-cqbr |
|
| 6 |
| url |
VCID-6c6t-kmb3-2qcm |
| vulnerability_id |
VCID-6c6t-kmb3-2qcm |
| summary |
Cross-site Scripting
In Symfony, validation messages are not escaped, which can lead to XSS when user input is included. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@4.1.12 |
| purl |
pkg:composer/symfony/symfony@4.1.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 9 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 10 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 11 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 12 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 13 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 14 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 15 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 16 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 17 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 18 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.12 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@4.2.7 |
| purl |
pkg:composer/symfony/symfony@4.2.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 3 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 4 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 5 |
| vulnerability |
VCID-9m8x-djng-8ye3 |
|
| 6 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 7 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 8 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 9 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 10 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 11 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 12 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 13 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 14 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 15 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.7 |
|
|
| aliases |
CVE-2019-10909, GHSA-g996-q5r8-w7g2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6c6t-kmb3-2qcm |
|
| 7 |
| url |
VCID-7m45-bvbn-4qd3 |
| vulnerability_id |
VCID-7m45-bvbn-4qd3 |
| summary |
SQL Injection
In Symfony HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@4.1.12 |
| purl |
pkg:composer/symfony/symfony@4.1.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 9 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 10 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 11 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 12 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 13 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 14 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 15 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 16 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 17 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 18 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.12 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@4.2.7 |
| purl |
pkg:composer/symfony/symfony@4.2.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 3 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 4 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 5 |
| vulnerability |
VCID-9m8x-djng-8ye3 |
|
| 6 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 7 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 8 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 9 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 10 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 11 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 12 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 13 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 14 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 15 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.7 |
|
|
| aliases |
CVE-2019-10913, GHSA-x92h-wmg2-6hp7
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7m45-bvbn-4qd3 |
|
| 8 |
|
| 9 |
| url |
VCID-awma-bc9f-kfe2 |
| vulnerability_id |
VCID-awma-bc9f-kfe2 |
| summary |
Symfony Service IDs Allow Injection
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@4.1.12 |
| purl |
pkg:composer/symfony/symfony@4.1.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 9 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 10 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 11 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 12 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 13 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 14 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 15 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 16 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 17 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 18 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.12 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@4.2.7 |
| purl |
pkg:composer/symfony/symfony@4.2.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 3 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 4 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 5 |
| vulnerability |
VCID-9m8x-djng-8ye3 |
|
| 6 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 7 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 8 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 9 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 10 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 11 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 12 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 13 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 14 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 15 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.7 |
|
|
| aliases |
CVE-2019-10910, GHSA-pgwj-prpq-jpc2
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-awma-bc9f-kfe2 |
|
| 10 |
| url |
VCID-bhnt-pgq7-yya3 |
| vulnerability_id |
VCID-bhnt-pgq7-yya3 |
| summary |
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-64500, GHSA-3rg7-wf37-54rm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bhnt-pgq7-yya3 |
|
| 11 |
|
| 12 |
| url |
VCID-ef86-hqv4-6kaz |
| vulnerability_id |
VCID-ef86-hqv4-6kaz |
| summary |
Cross-Site Request Forgery (CSRF)
By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the `invalidate_session` option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@4.0.11 |
| purl |
pkg:composer/symfony/symfony@4.0.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-1y96-v19f-tkgg |
|
| 2 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 3 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 4 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 5 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 6 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 7 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 8 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 9 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 10 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 11 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 12 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 13 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 14 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 15 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 16 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 17 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 18 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 19 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 20 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 21 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.11 |
|
|
| aliases |
CVE-2018-11406, GHSA-g4g7-q726-v5hg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ef86-hqv4-6kaz |
|
| 13 |
| url |
VCID-f2w1-nvm5-rub3 |
| vulnerability_id |
VCID-f2w1-nvm5-rub3 |
| summary |
Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
The Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mishandle unquoted arguments containing these characters.
This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-24739, GHSA-r39x-jcww-82v6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f2w1-nvm5-rub3 |
|
| 14 |
| url |
VCID-frbz-vpfe-vbh9 |
| vulnerability_id |
VCID-frbz-vpfe-vbh9 |
| summary |
Unrestricted Upload of File with Dangerous Type
When using the scalar type hint `string` in a setter method (e.g. `setName(string$name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@4.0.15 |
| purl |
pkg:composer/symfony/symfony@4.0.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 9 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 10 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 11 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 12 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 13 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 14 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 15 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 16 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 17 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.15 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@4.1.9 |
| purl |
pkg:composer/symfony/symfony@4.1.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 9 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 10 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 11 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 12 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 13 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 14 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 15 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 16 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 17 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 18 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 19 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.9 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@4.2.1 |
| purl |
pkg:composer/symfony/symfony@4.2.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-9m8x-djng-8ye3 |
|
| 9 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 10 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 11 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 12 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 13 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 14 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 15 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 16 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 17 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 18 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 19 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 20 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.1 |
|
|
| aliases |
CVE-2018-19789, GHSA-x3cf-w64x-4cp2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-frbz-vpfe-vbh9 |
|
| 15 |
| url |
VCID-jqh6-rwsw-73bs |
| vulnerability_id |
VCID-jqh6-rwsw-73bs |
| summary |
Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)
The UriSigner was subjectto timing attacks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-18887, GHSA-q8hg-pf8v-cxrv
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jqh6-rwsw-73bs |
|
| 16 |
| url |
VCID-mew1-9shg-mugs |
| vulnerability_id |
VCID-mew1-9shg-mugs |
| summary |
URL Redirection to Untrusted Site (Open Redirect)
By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@4.0.15 |
| purl |
pkg:composer/symfony/symfony@4.0.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 9 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 10 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 11 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 12 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 13 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 14 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 15 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 16 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 17 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.15 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@4.1.9 |
| purl |
pkg:composer/symfony/symfony@4.1.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 9 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 10 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 11 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 12 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 13 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 14 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 15 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 16 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 17 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 18 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 19 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.9 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@4.2.1 |
| purl |
pkg:composer/symfony/symfony@4.2.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-9m8x-djng-8ye3 |
|
| 9 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 10 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 11 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 12 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 13 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 14 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 15 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 16 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 17 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 18 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 19 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 20 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.1 |
|
|
| aliases |
CVE-2018-19790, GHSA-89r2-5g34-2g47
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mew1-9shg-mugs |
|
| 17 |
| url |
VCID-nsuz-7sdv-abef |
| vulnerability_id |
VCID-nsuz-7sdv-abef |
| summary |
Insufficient Session Expiration
The `PDOSessionHandler` class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@4.0.11 |
| purl |
pkg:composer/symfony/symfony@4.0.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-1y96-v19f-tkgg |
|
| 2 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 3 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 4 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 5 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 6 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 7 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 8 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 9 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 10 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 11 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 12 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 13 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 14 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 15 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 16 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 17 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 18 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 19 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 20 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 21 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.11 |
|
|
| aliases |
CVE-2018-11386, GHSA-r2rq-3h56-fqm4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nsuz-7sdv-abef |
|
| 18 |
| url |
VCID-p6f7-utd6-eqej |
| vulnerability_id |
VCID-p6f7-utd6-eqej |
| summary |
Information Exposure
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that status codes are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-21424, GHSA-5pv8-ppvj-4h68
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-p6f7-utd6-eqej |
|
| 19 |
| url |
VCID-pj86-ync3-gyan |
| vulnerability_id |
VCID-pj86-ync3-gyan |
| summary |
Symfony has an incorrect response from Validator when input ends with `\n`
It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/symfony/symfony |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/symfony/symfony |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://symfony.com/cve-2024-50343 |
| reference_id |
CVE-2024-50343 |
| reference_type |
|
| scores |
| 0 |
| value |
3.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://symfony.com/cve-2024-50343 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-50343, GHSA-g3rh-rrhp-jhh9
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pj86-ync3-gyan |
|
| 20 |
| url |
VCID-qqd1-smb1-sbe8 |
| vulnerability_id |
VCID-qqd1-smb1-sbe8 |
| summary |
URL Rewrite vulnerability
An issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects `\Symfony\Component\HttpFoundation\Request::prepareRequestUri()` where `X-Original-URL` and `X_REWRITE_URL` are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@4.0.14 |
| purl |
pkg:composer/symfony/symfony@4.0.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 9 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 10 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 11 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 12 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 13 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 14 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 15 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 16 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 17 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 18 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 19 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.14 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@4.1.3 |
| purl |
pkg:composer/symfony/symfony@4.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 9 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 10 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 11 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 12 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 13 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 14 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 15 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 16 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 17 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 18 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 19 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 20 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 21 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.3 |
|
|
| aliases |
CVE-2018-14773, GHSA-8wgj-6wx8-h5hq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qqd1-smb1-sbe8 |
|
| 21 |
| url |
VCID-tx26-92jc-rkff |
| vulnerability_id |
VCID-tx26-92jc-rkff |
| summary |
URL Redirection to Untrusted Site (Open Redirect)
The security handlers in the Security component in Symfony have an Open redirect vulnerability when `security.http_utils` is inlined by a container. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@4.0.11 |
| purl |
pkg:composer/symfony/symfony@4.0.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-1y96-v19f-tkgg |
|
| 2 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 3 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 4 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 5 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 6 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 7 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 8 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 9 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 10 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 11 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 12 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 13 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 14 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 15 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 16 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 17 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 18 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 19 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 20 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 21 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.11 |
|
|
| aliases |
CVE-2018-11408, GHSA-7hwc-2cq4-6x2w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tx26-92jc-rkff |
|
| 22 |
| url |
VCID-uuk9-e5qy-rfgf |
| vulnerability_id |
VCID-uuk9-e5qy-rfgf |
| summary |
Improper Authentication
An issue was discovered in the Ldap component in Symfony. It allows remote attackers to bypass authentication by logging in with a `null` password and valid username, which triggers an unauthenticated bind. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@4.0.7 |
| purl |
pkg:composer/symfony/symfony@4.0.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-1y96-v19f-tkgg |
|
| 2 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 3 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 4 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 5 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 6 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 7 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 8 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 9 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 10 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 11 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 12 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 13 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 14 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 15 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 16 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 17 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 18 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 19 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 20 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 21 |
| vulnerability |
VCID-tx26-92jc-rkff |
|
| 22 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 23 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 24 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 25 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.7 |
|
|
| aliases |
CVE-2018-11407, GHSA-35c5-28pg-2qg4
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uuk9-e5qy-rfgf |
|
| 23 |
| url |
VCID-vyug-krcw-jyef |
| vulnerability_id |
VCID-vyug-krcw-jyef |
| summary |
Session Fixation
A session fixation vulnerability within the `Guard` login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@4.0.11 |
| purl |
pkg:composer/symfony/symfony@4.0.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-1y96-v19f-tkgg |
|
| 2 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 3 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 4 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 5 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 6 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 7 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 8 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 9 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 10 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 11 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 12 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 13 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 14 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 15 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 16 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 17 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 18 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 19 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 20 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 21 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.11 |
|
|
| aliases |
CVE-2018-11385, GHSA-g4rg-rw65-8hfg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vyug-krcw-jyef |
|
| 24 |
| url |
VCID-yetr-unnz-gbhn |
| vulnerability_id |
VCID-yetr-unnz-gbhn |
| summary |
Symfony vulnerable to command execution hijack on Windows with Process class
On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/symfony/symfony |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/symfony/symfony |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://symfony.com/cve-2024-51736 |
| reference_id |
CVE-2024-51736 |
| reference_type |
|
| scores |
| 0 |
| value |
8.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://symfony.com/cve-2024-51736 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-51736, GHSA-qq5c-677p-737q
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yetr-unnz-gbhn |
|
| 25 |
| url |
VCID-zeut-9wfp-q7et |
| vulnerability_id |
VCID-zeut-9wfp-q7et |
| summary |
Deserialization of Untrusted Data
In Symfony it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
| 51 |
|
| 52 |
|
| 53 |
|
| 54 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@4.1.12 |
| purl |
pkg:composer/symfony/symfony@4.1.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 5 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 6 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 7 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 8 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 9 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 10 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 11 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 12 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 13 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 14 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 15 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 16 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 17 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
| 18 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.12 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@4.2.7 |
| purl |
pkg:composer/symfony/symfony@4.2.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-15tu-dfam-yqgh |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 3 |
| vulnerability |
VCID-4f9e-eg67-cqbr |
|
| 4 |
| vulnerability |
VCID-91hk-tdtv-x7fp |
|
| 5 |
| vulnerability |
VCID-9m8x-djng-8ye3 |
|
| 6 |
| vulnerability |
VCID-bhnt-pgq7-yya3 |
|
| 7 |
| vulnerability |
VCID-c3qr-9rv2-yqh9 |
|
| 8 |
| vulnerability |
VCID-f2w1-nvm5-rub3 |
|
| 9 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 10 |
| vulnerability |
VCID-kktw-gsen-jyd8 |
|
| 11 |
| vulnerability |
VCID-m9e2-rg83-d7eb |
|
| 12 |
| vulnerability |
VCID-p6f7-utd6-eqej |
|
| 13 |
| vulnerability |
VCID-pj86-ync3-gyan |
|
| 14 |
| vulnerability |
VCID-yetr-unnz-gbhn |
|
| 15 |
| vulnerability |
VCID-zgxf-qxwu-pqf9 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.7 |
|
|
| aliases |
CVE-2019-10912, GHSA-w2fr-65vp-mxw3
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zeut-9wfp-q7et |
|
| 26 |
| url |
VCID-zgxf-qxwu-pqf9 |
| vulnerability_id |
VCID-zgxf-qxwu-pqf9 |
| summary |
Symfony vulnerable to open redirect via browser-sanitized URLs
The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/symfony/symfony |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/symfony/symfony |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://url.spec.whatwg.org |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:21:57Z/ |
|
|
| url |
https://url.spec.whatwg.org |
|
| 6 |
|
| 7 |
| reference_url |
https://symfony.com/cve-2024-50345 |
| reference_id |
CVE-2024-50345 |
| reference_type |
|
| scores |
| 0 |
| value |
3.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://symfony.com/cve-2024-50345 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-50345, GHSA-mrqx-rp3w-jpjp
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zgxf-qxwu-pqf9 |
|