VulnerableCode Package Details - pkg:composer/symfony/security@2.3.41

Search for packages

Vulnerability	Summary	Fixed by
VCID-556v-rym3-6yax Aliases: CVE-2018-11406 GHSA-g4g7-q726-v5hg	Cross-Site Request Forgery (CSRF) By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the `invalidate_session` option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.	2.7.48 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.8.41 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.3.17 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.4.11 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.0.11 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-71vh-7wte-kfcx Aliases: CVE-2018-11385 GHSA-g4rg-rw65-8hfg	Session Fixation A session fixation vulnerability within the `Guard` login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.	2.7.48 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.8.41 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.3.17 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.4.11 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.0.11 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-556v-rym3-6yax
Aliases:
CVE-2018-11406
GHSA-g4g7-q726-v5hg

Cross-Site Request Forgery (CSRF) By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the `invalidate_session` option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

2.7.48
Affected by 5 other vulnerabilities.

2.8.41
Affected by 3 other vulnerabilities.

3.3.17
Affected by 6 other vulnerabilities.

3.4.11
Affected by 3 other vulnerabilities.

4.0.11
Affected by 3 other vulnerabilities.

VCID-71vh-7wte-kfcx
Aliases:
CVE-2018-11385
GHSA-g4rg-rw65-8hfg

Session Fixation A session fixation vulnerability within the `Guard` login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

2.7.48
Affected by 5 other vulnerabilities.

2.8.41
Affected by 3 other vulnerabilities.

3.3.17
Affected by 6 other vulnerabilities.

3.4.11
Affected by 3 other vulnerabilities.

4.0.11
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-nsk8-bk5e-tbfh	CVE-2016-4423: Large username storage in session The attemptAuthentication function in `Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php` does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.	CVE-2016-4423 GHSA-whgv-8cg3-7hcm

Vulnerability

Summary

Aliases

VCID-nsk8-bk5e-tbfh

CVE-2016-4423: Large username storage in session The attemptAuthentication function in `Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php` does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.

CVE-2016-4423
GHSA-whgv-8cg3-7hcm

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T20:45:31.149473+00:00	GitLab Importer	Affected by	VCID-71vh-7wte-kfcx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2018-11385.yml	38.4.0
2026-04-16T20:45:29.945397+00:00	GitLab Importer	Affected by	VCID-556v-rym3-6yax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2018-11406.yml	38.4.0
2026-04-16T20:34:06.632899+00:00	GitLab Importer	Fixing	VCID-nsk8-bk5e-tbfh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2016-4423.yml	38.4.0
2026-04-11T21:56:18.046847+00:00	GitLab Importer	Affected by	VCID-71vh-7wte-kfcx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2018-11385.yml	38.3.0
2026-04-11T21:56:16.668976+00:00	GitLab Importer	Affected by	VCID-556v-rym3-6yax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2018-11406.yml	38.3.0
2026-04-11T21:44:34.114449+00:00	GitLab Importer	Fixing	VCID-nsk8-bk5e-tbfh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2016-4423.yml	38.3.0
2026-04-04T14:31:35.800118+00:00	GHSA Importer	Fixing	VCID-nsk8-bk5e-tbfh	https://github.com/advisories/GHSA-whgv-8cg3-7hcm	38.1.0
2026-04-02T22:09:42.206132+00:00	GitLab Importer	Affected by	VCID-71vh-7wte-kfcx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2018-11385.yml	38.1.0
2026-04-02T22:09:40.978853+00:00	GitLab Importer	Affected by	VCID-556v-rym3-6yax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2018-11406.yml	38.1.0
2026-04-02T21:58:38.862413+00:00	GitLab Importer	Fixing	VCID-nsk8-bk5e-tbfh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2016-4423.yml	38.1.0
2026-04-01T16:26:59.081459+00:00	GitLab Importer	Affected by	VCID-71vh-7wte-kfcx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2018-11385.yml	38.0.0
2026-04-01T16:26:57.655430+00:00	GitLab Importer	Affected by	VCID-556v-rym3-6yax	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2018-11406.yml	38.0.0
2026-04-01T13:11:08.260680+00:00	GithubOSV Importer	Fixing	VCID-nsk8-bk5e-tbfh	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-whgv-8cg3-7hcm/GHSA-whgv-8cg3-7hcm.json	38.0.0
2026-04-01T12:47:03.895645+00:00	GitLab Importer	Fixing	VCID-nsk8-bk5e-tbfh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2016-4423.yml	38.0.0