Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/symfony/symfony@2.8.0
Typecomposer
Namespacesymfony
Namesymfony
Version2.8.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.8.6
Latest_non_vulnerable_version8.0.5
Affected_by_vulnerabilities
0
url VCID-1y96-v19f-tkgg
vulnerability_id VCID-1y96-v19f-tkgg
summary 
Improper Input Validation
An issue was discovered in `HttpKernel` in Symfony When using `HttpCache`, the values of the `X-Forwarded-Host` headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.
references
0
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-14774
reference_id CVE-2018-14774
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2018-14774
fixed_packages
0
url pkg:composer/symfony/symfony@2.8.44
purl pkg:composer/symfony/symfony@2.8.44
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.44
1
url pkg:composer/symfony/symfony@3.3.18
purl pkg:composer/symfony/symfony@3.3.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.18
2
url pkg:composer/symfony/symfony@3.4.14
purl pkg:composer/symfony/symfony@3.4.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.14
3
url pkg:composer/symfony/symfony@4.0.14
purl pkg:composer/symfony/symfony@4.0.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.14
4
url pkg:composer/symfony/symfony@4.1.3
purl pkg:composer/symfony/symfony@4.1.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.3
aliases CVE-2018-14774
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1y96-v19f-tkgg
1
url VCID-23hr-yznx-c3fb
vulnerability_id VCID-23hr-yznx-c3fb
summary 
Improper Authentication
In Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled.
references
0
reference_url https://symfony.com/cve-2019-10911
reference_id CVE-2019-10911
reference_type
scores
url https://symfony.com/cve-2019-10911
fixed_packages
0
url pkg:composer/symfony/symfony@2.8.50
purl pkg:composer/symfony/symfony@2.8.50
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.50
1
url pkg:composer/symfony/symfony@3.4.26
purl pkg:composer/symfony/symfony@3.4.26
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.26
2
url pkg:composer/symfony/symfony@4.2.7
purl pkg:composer/symfony/symfony@4.2.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.7
aliases CVE-2019-10911
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-23hr-yznx-c3fb
2
url VCID-3qct-gbgt-kkbb
vulnerability_id VCID-3qct-gbgt-kkbb
summary 
Cross-site Scripting
The debug handler in Symfony has an XSS via an array key during exception pretty printing in `ExceptionHandler.php`, as demonstrated by a `/_debugbar/open?op`=get` URI.
references
0
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-18343
reference_id CVE-2017-18343
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2017-18343
fixed_packages
0
url pkg:composer/symfony/symfony@2.8.26
purl pkg:composer/symfony/symfony@2.8.26
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.26
1
url pkg:composer/symfony/symfony@3.2.13
purl pkg:composer/symfony/symfony@3.2.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-djnm-e9r4-c3f5
1
vulnerability VCID-dsbx-q641-4fc7
2
vulnerability VCID-xdtu-22ad-63aq
3
vulnerability VCID-xj13-fspe-hfgv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.13
2
url pkg:composer/symfony/symfony@3.3.6
purl pkg:composer/symfony/symfony@3.3.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.6
aliases CVE-2017-18343
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3qct-gbgt-kkbb
3
url VCID-6c6t-kmb3-2qcm
vulnerability_id VCID-6c6t-kmb3-2qcm
summary 
Cross-site Scripting
In Symfony, validation messages are not escaped, which can lead to XSS when user input is included.
references
0
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-10909
reference_id CVE-2019-10909
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2019-10909
1
reference_url https://symfony.com/cve-2019-10909
reference_id CVE-2019-10909
reference_type
scores
url https://symfony.com/cve-2019-10909
2
reference_url https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine
reference_id CVE-2019-10909-ESCAPE-VALIDATION-MESSAGES-IN-THE-PHP-TEMPLATING-ENGINE
reference_type
scores
url https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine
fixed_packages
0
url pkg:composer/symfony/symfony@2.8.50
purl pkg:composer/symfony/symfony@2.8.50
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.50
1
url pkg:composer/symfony/symfony@3.4.26
purl pkg:composer/symfony/symfony@3.4.26
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.26
2
url pkg:composer/symfony/symfony@4.2.7
purl pkg:composer/symfony/symfony@4.2.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.7
aliases CVE-2019-10909
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6c6t-kmb3-2qcm
4
url VCID-7m45-bvbn-4qd3
vulnerability_id VCID-7m45-bvbn-4qd3
summary 
SQL Injection
In Symfony HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS.
references
0
reference_url https://symfony.com/cve-2019-10913
reference_id CVE-2019-10913
reference_type
scores
url https://symfony.com/cve-2019-10913
fixed_packages
0
url pkg:composer/symfony/symfony@2.8.50
purl pkg:composer/symfony/symfony@2.8.50
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.50
1
url pkg:composer/symfony/symfony@3.4.26
purl pkg:composer/symfony/symfony@3.4.26
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.26
2
url pkg:composer/symfony/symfony@4.2.7
purl pkg:composer/symfony/symfony@4.2.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.7
aliases CVE-2019-10913
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7m45-bvbn-4qd3
5
url VCID-frbz-vpfe-vbh9
vulnerability_id VCID-frbz-vpfe-vbh9
summary 
Unrestricted Upload of File with Dangerous Type
When using the scalar type hint `string` in a setter method (e.g. `setName(string$name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.
references
0
reference_url https://symfony.com/cve-2018-19789
reference_id CVE-2018-19789
reference_type
scores
url https://symfony.com/cve-2018-19789
fixed_packages
0
url pkg:composer/symfony/symfony@2.8.49
purl pkg:composer/symfony/symfony@2.8.49
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.49
1
url pkg:composer/symfony/symfony@3.4.20
purl pkg:composer/symfony/symfony@3.4.20
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.20
2
url pkg:composer/symfony/symfony@4.0.15
purl pkg:composer/symfony/symfony@4.0.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.15
3
url pkg:composer/symfony/symfony@4.1.9
purl pkg:composer/symfony/symfony@4.1.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.9
4
url pkg:composer/symfony/symfony@4.2.1
purl pkg:composer/symfony/symfony@4.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.1
aliases CVE-2018-19789
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-frbz-vpfe-vbh9
6
url VCID-mew1-9shg-mugs
vulnerability_id VCID-mew1-9shg-mugs
summary 
URL Redirection to Untrusted Site (Open Redirect)
By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.
references
0
reference_url https://symfony.com/cve-2018-19790
reference_id CVE-2018-19790
reference_type
scores
url https://symfony.com/cve-2018-19790
fixed_packages
0
url pkg:composer/symfony/symfony@2.8.49
purl pkg:composer/symfony/symfony@2.8.49
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.49
1
url pkg:composer/symfony/symfony@3.4.20
purl pkg:composer/symfony/symfony@3.4.20
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.20
2
url pkg:composer/symfony/symfony@4.0.15
purl pkg:composer/symfony/symfony@4.0.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.15
3
url pkg:composer/symfony/symfony@4.1.9
purl pkg:composer/symfony/symfony@4.1.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.9
4
url pkg:composer/symfony/symfony@4.2.1
purl pkg:composer/symfony/symfony@4.2.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.1
aliases CVE-2018-19790
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mew1-9shg-mugs
7
url VCID-tx26-92jc-rkff
vulnerability_id VCID-tx26-92jc-rkff
summary 
URL Redirection to Untrusted Site (Open Redirect)
The security handlers in the Security component in Symfony have an Open redirect vulnerability when `security.http_utils` is inlined by a container.
references
0
reference_url https://symfony.com/cve-2018-11408
reference_id CVE-2018-11408
reference_type
scores
url https://symfony.com/cve-2018-11408
fixed_packages
0
url pkg:composer/symfony/symfony@2.8.41
purl pkg:composer/symfony/symfony@2.8.41
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.41
1
url pkg:composer/symfony/symfony@3.4.11
purl pkg:composer/symfony/symfony@3.4.11
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.11
2
url pkg:composer/symfony/symfony@4.0.11
purl pkg:composer/symfony/symfony@4.0.11
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.11
aliases CVE-2018-11408
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tx26-92jc-rkff
8
url VCID-uuk9-e5qy-rfgf
vulnerability_id VCID-uuk9-e5qy-rfgf
summary 
Improper Authentication
An issue was discovered in the Ldap component in Symfony. It allows remote attackers to bypass authentication by logging in with a `null` password and valid username, which triggers an unauthenticated bind.
references
0
reference_url https://symfony.com/cve-2018-11407
reference_id CVE-2018-11407
reference_type
scores
url https://symfony.com/cve-2018-11407
fixed_packages
0
url pkg:composer/symfony/symfony@2.8.37
purl pkg:composer/symfony/symfony@2.8.37
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.37
1
url pkg:composer/symfony/symfony@3.4.7
purl pkg:composer/symfony/symfony@3.4.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.7
2
url pkg:composer/symfony/symfony@4.0.7
purl pkg:composer/symfony/symfony@4.0.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.7
aliases CVE-2018-11407
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uuk9-e5qy-rfgf
9
url VCID-zeut-9wfp-q7et
vulnerability_id VCID-zeut-9wfp-q7et
summary 
Deserialization of Untrusted Data
In Symfony it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to.
references
0
reference_url https://symfony.com/cve-2019-10912
reference_id CVE-2019-10912
reference_type
scores
url https://symfony.com/cve-2019-10912
fixed_packages
0
url pkg:composer/symfony/symfony@2.8.50
purl pkg:composer/symfony/symfony@2.8.50
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.50
1
url pkg:composer/symfony/symfony@3.4.26
purl pkg:composer/symfony/symfony@3.4.26
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.26
2
url pkg:composer/symfony/symfony@4.2.7
purl pkg:composer/symfony/symfony@4.2.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.7
aliases CVE-2019-10912
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zeut-9wfp-q7et
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.0