Search for packages
| purl | pkg:composer/symfony/symfony@3.1.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-27sw-43vt-ukh3
Aliases: CVE-2018-19789 GHSA-x3cf-w64x-4cp2 |
Unrestricted Upload of File with Dangerous Type When using the scalar type hint `string` in a setter method (e.g. `setName(string$name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution. |
Affected by 17 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-2hua-7wbd-tqbx
Aliases: CVE-2018-11386 GHSA-r2rq-3h56-fqm4 |
Insufficient Session Expiration The `PDOSessionHandler` class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. |
Affected by 27 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-3uu1-kftu-nbhd
Aliases: CVE-2019-10913 GHSA-x92h-wmg2-6hp7 |
SQL Injection In Symfony HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. |
Affected by 12 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-4mkw-tv16-jyca
Aliases: CVE-2019-10912 GHSA-w2fr-65vp-mxw3 |
Deserialization of Untrusted Data In Symfony it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. |
Affected by 12 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-4num-z8cg-83gt
Aliases: CVE-2024-51736 GHSA-qq5c-677p-737q |
Symfony vulnerable to command execution hijack on Windows with Process class ### Description On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. ### Resolution The `Process` class now uses the absolute path to `cmd.exe`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9) for branch 5.4. ### Credits We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-556v-rym3-6yax
Aliases: CVE-2018-11406 GHSA-g4g7-q726-v5hg |
Cross-Site Request Forgery (CSRF) By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the `invalidate_session` option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. |
Affected by 27 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-636u-5bdw-puh4
Aliases: CVE-2019-10909 GHSA-g996-q5r8-w7g2 |
Cross-site Scripting In Symfony, validation messages are not escaped, which can lead to XSS when user input is included. |
Affected by 12 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-71vh-7wte-kfcx
Aliases: CVE-2018-11385 GHSA-g4rg-rw65-8hfg |
Session Fixation A session fixation vulnerability within the `Guard` login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker. |
Affected by 27 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-7sm1-74du-47gc
Aliases: CVE-2019-10910 GHSA-pgwj-prpq-jpc2 |
Symfony Service IDs Allow Injection In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection. |
Affected by 12 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-9bzz-84cq-ykh2
Aliases: CVE-2024-50345 GHSA-mrqx-rp3w-jpjp |
Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-9rsx-fscb-6fh3
Aliases: CVE-2019-18889 GHSA-79gr-58r3-pwm3 |
Symfony Unsafe Cache Serialization Could Enable RCE An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache. |
Affected by 26 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-bdhj-np35-sybt
Aliases: CVE-2023-46734 GHSA-q847-2q57-wmr3 |
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters. |
Affected by 6 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-bhfu-7788-fbhc
Aliases: CVE-2018-14773 GHSA-8wgj-6wx8-h5hq |
URL Rewrite vulnerability An issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects `\Symfony\Component\HttpFoundation\Request::prepareRequestUri()` where `X-Original-URL` and `X_REWRITE_URL` are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning. |
Affected by 21 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-bpkv-qrmp-huac
Aliases: CVE-2019-10911 GHSA-cchx-mfrc-fwqr |
Improper Authentication In Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. |
Affected by 12 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-c8ar-82sr-fqej
Aliases: CVE-2024-50343 GHSA-g3rh-rrhp-jhh9 |
Symfony has an incorrect response from Validator when input ends with `\n` ### Description It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. ### Resolution Symfony now uses the `D` regex modifier to match the entire input. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f) for branch 5.4. ### Credits We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-dqaj-qmbd-cya1
Aliases: CVE-2018-11407 GHSA-35c5-28pg-2qg4 |
Improper Authentication An issue was discovered in the Ldap component in Symfony. It allows remote attackers to bypass authentication by logging in with a `null` password and valid username, which triggers an unauthenticated bind. |
Affected by 27 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-e71e-d4tr-wqgz
Aliases: CVE-2021-21424 GHSA-5pv8-ppvj-4h68 |
Prevent user enumeration using Guard or the new Authenticator-based Security Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue. |
Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-guzg-x6nu-pygu
Aliases: CVE-2019-18887 GHSA-q8hg-pf8v-cxrv |
Symfony Http-Kernel has non-constant time comparison in UriSigner When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability. |
Affected by 10 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-jdsd-3vnz-uygn
Aliases: CVE-2019-18888 GHSA-xhh6-956q-4q69 |
Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x). |
Affected by 10 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-k8zb-z9em-vqgm
Aliases: CVE-2018-11408 GHSA-7hwc-2cq4-6x2w |
URL Redirection to Untrusted Site (Open Redirect) The security handlers in the Security component in Symfony have an Open redirect vulnerability when `security.http_utils` is inlined by a container. |
Affected by 27 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-kgu6-gj5d-7bfx
Aliases: CVE-2026-24739 GHSA-r39x-jcww-82v6 |
Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows ### Summary The Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mishandle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. ### Impact If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). ### Resolution Upgrade to a Symfony release that includes the fix from symfony/symfony#63164 (which updates Windows argument escaping to ensure arguments containing = and other MSYS2-sensitive characters are properly quoted/escaped). The patch for branch 5.4 is available at https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b ### Workarounds / Mitigations Avoid running PHP/your tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-p1dw-w76f-gbfv
Aliases: CVE-2025-64500 GHSA-3rg7-wf37-54rm |
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-qwcj-hq3g-2qd7
Aliases: CVE-2022-23601 GHSA-vvmr-8829-6whx |
Cross-Site Request Forgery (CSRF) Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue. |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-rgh3-ef8t-k3ec
Aliases: CVE-2022-24894 GHSA-h7vf-5wrv-9fhv GMS-2023-209 GMS-2023-212 |
Duplicate This advisory duplicates another. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-skth-cf6d-3ubr
Aliases: CVE-2017-18343 |
Cross-site Scripting The debug handler in Symfony has an XSS via an array key during exception pretty printing in `ExceptionHandler.php`, as demonstrated by a `/_debugbar/open?op`=get` URI. |
Affected by 30 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-thtp-ehsj-t3ej
Aliases: CVE-2022-24895 GHSA-3gv2-29qc-v67m GMS-2023-210 GMS-2023-211 |
Duplicate This advisory duplicates another. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-v81g-hqja-hue2
Aliases: CVE-2018-19790 GHSA-89r2-5g34-2g47 |
URL Redirection to Untrusted Site (Open Redirect) By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login. |
Affected by 17 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 21 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||