Search for packages
| purl | pkg:deb/debian/symfony@2.3.21%2Bdfsg-4 |
| Next non-vulnerable version | 5.4.23+dfsg-1+deb12u5 |
| Latest non-vulnerable version | 5.4.23+dfsg-1+deb12u5 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-27sw-43vt-ukh3
Aliases: CVE-2018-19789 GHSA-x3cf-w64x-4cp2 |
Unrestricted Upload of File with Dangerous Type When using the scalar type hint `string` in a setter method (e.g. `setName(string$name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-2hua-7wbd-tqbx
Aliases: CVE-2018-11386 GHSA-r2rq-3h56-fqm4 |
Insufficient Session Expiration The `PDOSessionHandler` class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-3uu1-kftu-nbhd
Aliases: CVE-2019-10913 GHSA-x92h-wmg2-6hp7 |
SQL Injection In Symfony HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-4mkw-tv16-jyca
Aliases: CVE-2019-10912 GHSA-w2fr-65vp-mxw3 |
Deserialization of Untrusted Data In Symfony it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-556v-rym3-6yax
Aliases: CVE-2018-11406 GHSA-g4g7-q726-v5hg |
Cross-Site Request Forgery (CSRF) By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the `invalidate_session` option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-5u5z-qzg2-sbhg
Aliases: CVE-2015-8125 GHSA-g97c-jfx6-xvxh |
Information Exposure Through Timing Discrepancy Symfony allows remote attackers to have unspecified impact via a timing attack. |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-636u-5bdw-puh4
Aliases: CVE-2019-10909 GHSA-g996-q5r8-w7g2 |
Cross-site Scripting In Symfony, validation messages are not escaped, which can lead to XSS when user input is included. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-71vh-7wte-kfcx
Aliases: CVE-2018-11385 GHSA-g4rg-rw65-8hfg |
Session Fixation A session fixation vulnerability within the `Guard` login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-72pa-a6sv-fyg6
Aliases: CVE-2016-2403 GHSA-wvj5-r78r-hhfq |
Unauthorized access on a misconfigured LDAP server There's a flaw in `LdapBindAuthenticationProvider` that allows for an unauthorized access on a misconfigured LDAP server when using an empty password. Applications are affected only if they use the LDAP authentication provider. |
Affected by 36 other vulnerabilities. |
|
VCID-7sm1-74du-47gc
Aliases: CVE-2019-10910 GHSA-pgwj-prpq-jpc2 |
Symfony Service IDs Allow Injection In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-9bzz-84cq-ykh2
Aliases: CVE-2024-50345 GHSA-mrqx-rp3w-jpjp |
Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix. |
Affected by 0 other vulnerabilities. |
|
VCID-9qrr-z4mp-vyfp
Aliases: CVE-2019-18886 GHSA-4vpc-5jx4-cfqg |
User enumeration leak using switch user functionality in Symfony An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security. |
Affected by 3 other vulnerabilities. |
|
VCID-9rsx-fscb-6fh3
Aliases: CVE-2019-18889 GHSA-79gr-58r3-pwm3 |
Symfony Unsafe Cache Serialization Could Enable RCE An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache. |
Affected by 3 other vulnerabilities. |
|
VCID-ahmf-nthw-ufaq
Aliases: CVE-2016-1902 GHSA-jjx5-fq5g-8xpc |
Cryptographic Issues The `nextBytes` function in the `SecureRandom` class in Symfony does not properly generate random numbers when used with PHP without the `paragonie/random_compat` library and the `openssl_random_pseudo_bytes` function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors. |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-bdhj-np35-sybt
Aliases: CVE-2023-46734 GHSA-q847-2q57-wmr3 |
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters. |
Affected by 3 other vulnerabilities. |
|
VCID-bhfu-7788-fbhc
Aliases: CVE-2018-14773 GHSA-8wgj-6wx8-h5hq |
URL Rewrite vulnerability An issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects `\Symfony\Component\HttpFoundation\Request::prepareRequestUri()` where `X-Original-URL` and `X_REWRITE_URL` are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-bpkv-qrmp-huac
Aliases: CVE-2019-10911 GHSA-cchx-mfrc-fwqr |
Improper Authentication In Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-c3p1-j3qy-33cx
Aliases: CVE-2018-12040 |
Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues). |
Affected by 16 other vulnerabilities. |
|
VCID-c8ar-82sr-fqej
Aliases: CVE-2024-50343 GHSA-g3rh-rrhp-jhh9 |
Symfony has an incorrect response from Validator when input ends with `\n` ### Description It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. ### Resolution Symfony now uses the `D` regex modifier to match the entire input. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f) for branch 5.4. ### Credits We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix. |
Affected by 0 other vulnerabilities. |
|
VCID-dqaj-qmbd-cya1
Aliases: CVE-2018-11407 GHSA-35c5-28pg-2qg4 |
Improper Authentication An issue was discovered in the Ldap component in Symfony. It allows remote attackers to bypass authentication by logging in with a `null` password and valid username, which triggers an unauthenticated bind. |
Affected by 16 other vulnerabilities. |
|
VCID-e71e-d4tr-wqgz
Aliases: CVE-2021-21424 GHSA-5pv8-ppvj-4h68 |
Prevent user enumeration using Guard or the new Authenticator-based Security Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-fy39-ys3p-5ucm
Aliases: CVE-2015-8124 GHSA-j5jh-hpr4-h332 |
Session Fixation Session fixation vulnerability in the `Remember Me` login feature in Symfony allows remote attackers to hijack web sessions via a session id. |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-grxm-dpcv-37d9
Aliases: CVE-2020-5275 GHSA-g4m9-5hpf-hx72 |
Firewall configured with unanimous strategy was not actually unanimous in Symfony Description ----------- On Symfony before 4.4.0, when a `Firewall` checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if *all* calls to the `accessDecisionManager` decide to grant access. As of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as `accessDecisionManager` decide to grant access on one attribute. Resolution ---------- The `accessDecisionManager` is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf) for the 4.4 branch. Credits ------- I would like to thank Antonio J. GarcÃa Lagar for reporting & Robin Chalas for fixing the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-guzg-x6nu-pygu
Aliases: CVE-2019-18887 GHSA-q8hg-pf8v-cxrv |
Symfony Http-Kernel has non-constant time comparison in UriSigner When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-hxhq-zdyu-dudz
Aliases: CVE-2017-16790 GHSA-cqqh-94r6-wjrg |
Attacker can read all files content on the server When a form is submitted by the user, the request handler classes of the Form component merge POST data (known as the `$_POST` array in plain PHP) and uploaded files data (known as the `$_FILES` array in plain PHP) into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a `FileType` is sent as normal `POST` data that could be interpreted as a locale file path on the server-side (for example, `file:///etc/passwd`). If the application did not perform any additional checks about the value submitted to the `FileType`, the contents of the given file on the server could have been exposed to the attacker. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-j2su-wjra-tbh1
Aliases: CVE-2021-41270 GHSA-2xhg-w2g5-w95x |
Improper Neutralization of Formula Elements in a CSV File `Symfony/Serializer` handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony is vulnerable to CSV injection, also known as formula injection. In Symfony, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list, Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. |
Affected by 3 other vulnerabilities. |
|
VCID-jdsd-3vnz-uygn
Aliases: CVE-2019-18888 GHSA-xhh6-956q-4q69 |
Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x). |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-k8zb-z9em-vqgm
Aliases: CVE-2018-11408 GHSA-7hwc-2cq4-6x2w |
URL Redirection to Untrusted Site (Open Redirect) The security handlers in the Security component in Symfony have an Open redirect vulnerability when `security.http_utils` is inlined by a container. |
Affected by 16 other vulnerabilities. |
|
VCID-mm7e-kb6c-vucx
Aliases: CVE-2017-16652 GHSA-r7p7-qr7p-2rrf |
`DefaultAuthenticationSuccessHandler` or `DefaultAuthenticationFailureHandler` take the content of the `_target_path` parameter and generate a redirect response but no check is performed on the path, which could be an absolute URL to an external domain, opening redirect vulnerability. Open redirect vulnerability are not too much considered but they can be exploited for example to mount effective phishing attacks. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-nsk8-bk5e-tbfh
Aliases: CVE-2016-4423 GHSA-whgv-8cg3-7hcm |
CVE-2016-4423: Large username storage in session The attemptAuthentication function in `Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php` does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames. |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-pgk7-bnxx-ckeq
Aliases: CVE-2020-5255 GHSA-mcx4-f5f5-4859 |
Prevent cache poisoning via a Response Content-Type header in Symfony Description ----------- When a `Response` does not contain a `Content-Type` header, Symfony falls back to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one. Resolution ---------- Symfony does not use the `Accept` header anymore to guess the `Content-Type`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6) for the 4.4 branch. Credits ------- I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-rgh3-ef8t-k3ec
Aliases: CVE-2022-24894 GHSA-h7vf-5wrv-9fhv GMS-2023-209 GMS-2023-212 |
Duplicate This advisory duplicates another. |
Affected by 3 other vulnerabilities. |
|
VCID-skth-cf6d-3ubr
Aliases: CVE-2017-18343 |
Cross-site Scripting The debug handler in Symfony has an XSS via an array key during exception pretty printing in `ExceptionHandler.php`, as demonstrated by a `/_debugbar/open?op`=get` URI. |
Affected by 16 other vulnerabilities. |
|
VCID-t2dx-5us4-mkf1
Aliases: CVE-2017-16653 GHSA-92x6-h2gr-8gxq |
Cross-Site Request Forgery (CSRF) The current implementation of CSRF protection in Symfony does not use different tokens for HTTP and HTTPS. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-thtp-ehsj-t3ej
Aliases: CVE-2022-24895 GHSA-3gv2-29qc-v67m GMS-2023-210 GMS-2023-211 |
Duplicate This advisory duplicates another. |
Affected by 3 other vulnerabilities. |
|
VCID-txk7-krb1-bqd9
Aliases: CVE-2020-15094 GHSA-754h-5r27-7x3r |
RCE in Symfony Description ----------- The `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible. Resolution ---------- HTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch. Credits ------- I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-ugce-e42m-1fgj
Aliases: CVE-2020-5274 GHSA-m884-279h-32v2 |
Exceptions displayed in non-debug configurations in Symfony Description ----------- When `ErrorHandler` renders an exception HTML page, it uses un-escaped properties from the related Exception class to render the stacktrace. The security issue comes from the fact that the stacktraces were also displayed in non-`debug` environments. Resolution ---------- The `ErrorHandler` class now escapes all properties coming from the related Exception, and the stacktrace is not displayed anymore in non-`debug` environments. The patches for this issue are available [here](https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad) and [here](https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db) for branch 4.4. Credits ------- I would like to thank Luka Sikic for reporting & Yonel Ceruto and Jérémy Derussé for fixing the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-up7g-6ewp-uya5
Aliases: CVE-2015-4050 GHSA-qmqw-mpqp-mr54 |
Improper Access Control FragmentListener in the HttpKernel component in Symfony, when ESI or SSI support enabled, does not check if the `_controller` attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to `/_fragment`. |
Affected by 42 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-v81g-hqja-hue2
Aliases: CVE-2018-19790 GHSA-89r2-5g34-2g47 |
URL Redirection to Untrusted Site (Open Redirect) By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-vpsz-zhhq-xfbw
Aliases: CVE-2017-16654 GHSA-c49r-8gj6-768r |
An attacker can navigate to arbitrary directories via the dot-dot-slash attack This package includes various bundle readers that are used to read resource bundles from the local filesystem. The `read()` methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a `URL` parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-wd9z-d4h5-hkax
Aliases: CVE-2019-11325 GHSA-w4rc-rx25-8m86 |
Improper Input Validation in Symfony An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter. |
Affected by 3 other vulnerabilities. |
|
VCID-z2r1-8bdp-w7f5
Aliases: CVE-2018-14774 GHSA-66p6-7p29-55p9 |
Improper Input Validation An issue was discovered in `HttpKernel` in Symfony When using `HttpCache`, the values of the `X-Forwarded-Host` headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection. |
Affected by 16 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1cad-s6nn-j7aw | embedded prototype.js JavaScript hijacking |
CVE-2007-2383
|
| VCID-d1kp-7aht-9qa2 | Esi Code Injection Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache` class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server. |
CVE-2015-2308
GHSA-5c58-w9xc-qcj9 |
| VCID-tekr-xkck-pkfu | Multiple vulnerabilities in Asterisk might allow remote attackers to cause a Denial of Service condition, or conduct other attacks. |
CVE-2008-7220
|
| VCID-wwhm-mrr3-v7h3 | Unsafe methods in the Request class The `Symfony\Component\HttpFoundation\Request` class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. The following methods are impacted: `getPort()`, `isSecure()`, `getHost()` and `getClientIps()`. |
CVE-2015-2309
GHSA-p684-f7fh-jv2j |