VulnerableCode Package Details - pkg:composer/symfony/security-http@5.2.8

Search for packages

Vulnerability	Summary	Fixed by
VCID-bdhj-np35-sybt Aliases: CVE-2023-46734 GHSA-q847-2q57-wmr3	Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.	5.4.31 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.3.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-n3d2-zwve-gbf5 Aliases: CVE-2021-41267 GHSA-q3j3-w37x-hq2q	Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') `Symfony/Http-Kernel` is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the `trusted_headers` allowed list are ignored and protect users from Cache poisoning attacks. In Symfony, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the `trusted_headers` allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue.	5.4.0-BETA1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.4.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-v4rq-bsry-puct Aliases: CVE-2024-36611 GHSA-7q22-x757-cmgc	Withdrawn Advisory: Symfony http-security has authentication bypass ## Withdrawn Advisory This advisory has been withdrawn because the report is not part of a valid vulnerability. This link is maintained to preserve external references. For more information, see advisory-database/pull/5046. ## Original Description In Symfony, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service.	7.1.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-bdhj-np35-sybt
Aliases:
CVE-2023-46734
GHSA-q847-2q57-wmr3

Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.

5.4.31
Affected by 2 other vulnerabilities.

6.3.8
Affected by 2 other vulnerabilities.

VCID-n3d2-zwve-gbf5
Aliases:
CVE-2021-41267
GHSA-q3j3-w37x-hq2q

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') `Symfony/Http-Kernel` is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the `trusted_headers` allowed list are ignored and protect users from Cache poisoning attacks. In Symfony, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the `trusted_headers` allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue.

5.4.0-BETA1
Affected by 3 other vulnerabilities.

5.4.0
Affected by 3 other vulnerabilities.

VCID-v4rq-bsry-puct
Aliases:
CVE-2024-36611
GHSA-7q22-x757-cmgc

Withdrawn Advisory: Symfony http-security has authentication bypass ## Withdrawn Advisory This advisory has been withdrawn because the report is not part of a valid vulnerability. This link is maintained to preserve external references. For more information, see advisory-database/pull/5046. ## Original Description In Symfony, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service.

7.1.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-e71e-d4tr-wqgz	Prevent user enumeration using Guard or the new Authenticator-based Security Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.	CVE-2021-21424 GHSA-5pv8-ppvj-4h68
VCID-sfsw-131u-27dp	User enumeration in authentication mechanisms Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.	GHSA-g2qj-pmxm-9f8f GMS-2021-130 GMS-2021-131

Vulnerability

Summary

Aliases

VCID-e71e-d4tr-wqgz

Prevent user enumeration using Guard or the new Authenticator-based Security Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.

CVE-2021-21424
GHSA-5pv8-ppvj-4h68

VCID-sfsw-131u-27dp

User enumeration in authentication mechanisms Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.

GHSA-g2qj-pmxm-9f8f
GMS-2021-130
GMS-2021-131

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-12T00:34:31.742681+00:00	GitLab Importer	Affected by	VCID-v4rq-bsry-puct	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2024-36611.yml	38.3.0
2026-04-12T00:02:35.587117+00:00	GitLab Importer	Affected by	VCID-bdhj-np35-sybt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2023-46734.yml	38.3.0
2026-04-11T22:48:47.763066+00:00	GitLab Importer	Affected by	VCID-n3d2-zwve-gbf5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2021-41267.yml	38.3.0
2026-04-11T22:35:45.691101+00:00	GitLab Importer	Fixing	VCID-sfsw-131u-27dp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/GMS-2021-130.yml	38.3.0
2026-04-11T22:35:39.905411+00:00	GitLab Importer	Fixing	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2021-21424.yml	38.3.0
2026-04-03T00:42:16.122501+00:00	GitLab Importer	Affected by	VCID-v4rq-bsry-puct	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2024-36611.yml	38.1.0
2026-04-03T00:05:35.061275+00:00	GitLab Importer	Affected by	VCID-bdhj-np35-sybt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2023-46734.yml	38.1.0
2026-04-02T22:58:20.715190+00:00	GitLab Importer	Affected by	VCID-n3d2-zwve-gbf5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2021-41267.yml	38.1.0
2026-04-02T22:46:48.372209+00:00	GitLab Importer	Fixing	VCID-sfsw-131u-27dp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/GMS-2021-130.yml	38.1.0
2026-04-02T22:46:42.875580+00:00	GitLab Importer	Fixing	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2021-21424.yml	38.1.0
2026-04-02T16:56:41.704232+00:00	GHSA Importer	Fixing	VCID-sfsw-131u-27dp	https://github.com/advisories/GHSA-g2qj-pmxm-9f8f	38.1.0
2026-04-02T16:56:40.516416+00:00	GHSA Importer	Fixing	VCID-e71e-d4tr-wqgz	https://github.com/advisories/GHSA-5pv8-ppvj-4h68	38.1.0
2026-04-02T12:38:24.452630+00:00	GitLab Importer	Fixing	VCID-sfsw-131u-27dp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/GMS-2021-130.yml	38.0.0
2026-04-01T17:16:54.938562+00:00	GitLab Importer	Affected by	VCID-n3d2-zwve-gbf5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2021-41267.yml	38.0.0
2026-04-01T17:04:39.634690+00:00	GitLab Importer	Fixing	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2021-21424.yml	38.0.0
2026-04-01T13:03:09.896645+00:00	GithubOSV Importer	Fixing	VCID-sfsw-131u-27dp	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-g2qj-pmxm-9f8f/GHSA-g2qj-pmxm-9f8f.json	38.0.0
2026-04-01T13:02:49.876274+00:00	GithubOSV Importer	Fixing	VCID-e71e-d4tr-wqgz	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-5pv8-ppvj-4h68/GHSA-5pv8-ppvj-4h68.json	38.0.0