Search for packages
| purl | pkg:composer/symfony/security@3.2.0-BETA1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-23hr-yznx-c3fb
Aliases: CVE-2019-10911 GHSA-cchx-mfrc-fwqr |
Improper Authentication In Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. |
Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-djnm-e9r4-c3f5
Aliases: CVE-2017-16652 GHSA-r7p7-qr7p-2rrf |
`DefaultAuthenticationSuccessHandler` or `DefaultAuthenticationFailureHandler` take the content of the `_target_path` parameter and generate a redirect response but no check is performed on the path, which could be an absolute URL to an external domain, opening redirect vulnerability. Open redirect vulnerability are not too much considered but they can be exploited for example to mount effective phishing attacks. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-dsbx-q641-4fc7
Aliases: CVE-2017-16653 GHSA-92x6-h2gr-8gxq |
Cross-Site Request Forgery (CSRF) The current implementation of CSRF protection in Symfony does not use different tokens for HTTP and HTTPS. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-ef86-hqv4-6kaz
Aliases: CVE-2018-11406 GHSA-g4g7-q726-v5hg |
Cross-Site Request Forgery (CSRF) By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the `invalidate_session` option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. |
Affected by 6 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-mew1-9shg-mugs
Aliases: CVE-2018-19790 GHSA-89r2-5g34-2g47 |
URL Redirection to Untrusted Site (Open Redirect) By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-p6f7-utd6-eqej
Aliases: CVE-2021-21424 GHSA-5pv8-ppvj-4h68 |
Information Exposure Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that status codes are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-uuk9-e5qy-rfgf
Aliases: CVE-2018-11407 GHSA-35c5-28pg-2qg4 |
Improper Authentication An issue was discovered in the Ldap component in Symfony. It allows remote attackers to bypass authentication by logging in with a `null` password and valid username, which triggers an unauthenticated bind. |
Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-vyug-krcw-jyef
Aliases: CVE-2018-11385 GHSA-g4rg-rw65-8hfg |
Session Fixation A session fixation vulnerability within the `Guard` login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker. |
Affected by 6 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||