VulnerableCode Package Details - pkg:composer/symfony/http-kernel@2.5.0-BETA2

Search for packages

Vulnerability	Summary	Fixed by
VCID-jqh6-rwsw-73bs Aliases: CVE-2019-18887 GHSA-q8hg-pf8v-cxrv	Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition) The UriSigner was subjectto timing attacks.	2.8.52 Affected by 0 other vulnerabilities. 3.4.35 Affected by 0 other vulnerabilities. 4.2.12 Affected by 0 other vulnerabilities. 4.3.8 Affected by 0 other vulnerabilities.
VCID-mtb5-t6y4-w3eb Aliases: CVE-2015-4050 GHSA-qmqw-mpqp-mr54	Improper Access Control FragmentListener in the HttpKernel component in Symfony, when ESI or SSI support enabled, does not check if the `_controller` attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to `/_fragment`.	2.5.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.5.12 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.6.8 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-wdz4-hfer-1ud1 Aliases: CVE-2015-2308 GHSA-5c58-w9xc-qcj9	Esi Code Injection Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache` class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server.	2.5.11 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.6.6 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-jqh6-rwsw-73bs
Aliases:
CVE-2019-18887
GHSA-q8hg-pf8v-cxrv

Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition) The UriSigner was subjectto timing attacks.

2.8.52
Affected by 0 other vulnerabilities.

3.4.35
Affected by 0 other vulnerabilities.

4.2.12
Affected by 0 other vulnerabilities.

4.3.8
Affected by 0 other vulnerabilities.

VCID-mtb5-t6y4-w3eb
Aliases:
CVE-2015-4050
GHSA-qmqw-mpqp-mr54

Improper Access Control FragmentListener in the HttpKernel component in Symfony, when ESI or SSI support enabled, does not check if the `_controller` attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to `/_fragment`.

2.5.0
Affected by 3 other vulnerabilities.

2.5.12
Affected by 1 other vulnerability.

2.6.8
Affected by 1 other vulnerability.

VCID-wdz4-hfer-1ud1
Aliases:
CVE-2015-2308
GHSA-5c58-w9xc-qcj9

Esi Code Injection Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache` class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server.

2.5.11
Affected by 2 other vulnerabilities.

2.6.6
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:25:40.453887+00:00	GitLab Importer	Affected by	VCID-jqh6-rwsw-73bs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2019-18887.yml	38.6.0
2026-06-04T20:04:53.945338+00:00	GitLab Importer	Affected by	VCID-wdz4-hfer-1ud1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2015-2308.yml	38.6.0
2026-06-04T20:04:51.828270+00:00	GitLab Importer	Affected by	VCID-mtb5-t6y4-w3eb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2015-4050.yml	38.6.0