VulnerableCode Package Details - pkg:deb/debian/symfony@3.4.0%2Bdfsg-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-hxhq-zdyu-dudz	Attacker can read all files content on the server When a form is submitted by the user, the request handler classes of the Form component merge POST data (known as the `$_POST` array in plain PHP) and uploaded files data (known as the `$_FILES` array in plain PHP) into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a `FileType` is sent as normal `POST` data that could be interpreted as a locale file path on the server-side (for example, `file:///etc/passwd`). If the application did not perform any additional checks about the value submitted to the `FileType`, the contents of the given file on the server could have been exposed to the attacker.	CVE-2017-16790 GHSA-cqqh-94r6-wjrg
VCID-mm7e-kb6c-vucx	`DefaultAuthenticationSuccessHandler` or `DefaultAuthenticationFailureHandler` take the content of the `_target_path` parameter and generate a redirect response but no check is performed on the path, which could be an absolute URL to an external domain, opening redirect vulnerability. Open redirect vulnerability are not too much considered but they can be exploited for example to mount effective phishing attacks.	CVE-2017-16652 GHSA-r7p7-qr7p-2rrf
VCID-skth-cf6d-3ubr	Cross-site Scripting The debug handler in Symfony has an XSS via an array key during exception pretty printing in `ExceptionHandler.php`, as demonstrated by a `/_debugbar/open?op`=get` URI.	CVE-2017-18343
VCID-t2dx-5us4-mkf1	Cross-Site Request Forgery (CSRF) The current implementation of CSRF protection in Symfony does not use different tokens for HTTP and HTTPS.	CVE-2017-16653 GHSA-92x6-h2gr-8gxq
VCID-vpsz-zhhq-xfbw	An attacker can navigate to arbitrary directories via the dot-dot-slash attack This package includes various bundle readers that are used to read resource bundles from the local filesystem. The `read()` methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a `URL` parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack.	CVE-2017-16654 GHSA-c49r-8gj6-768r

Vulnerability

Summary

Aliases

VCID-hxhq-zdyu-dudz

Attacker can read all files content on the server When a form is submitted by the user, the request handler classes of the Form component merge POST data (known as the `$_POST` array in plain PHP) and uploaded files data (known as the `$_FILES` array in plain PHP) into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a `FileType` is sent as normal `POST` data that could be interpreted as a locale file path on the server-side (for example, `file:///etc/passwd`). If the application did not perform any additional checks about the value submitted to the `FileType`, the contents of the given file on the server could have been exposed to the attacker.

CVE-2017-16790
GHSA-cqqh-94r6-wjrg

VCID-mm7e-kb6c-vucx

`DefaultAuthenticationSuccessHandler` or `DefaultAuthenticationFailureHandler` take the content of the `_target_path` parameter and generate a redirect response but no check is performed on the path, which could be an absolute URL to an external domain, opening redirect vulnerability. Open redirect vulnerability are not too much considered but they can be exploited for example to mount effective phishing attacks.

CVE-2017-16652
GHSA-r7p7-qr7p-2rrf

VCID-skth-cf6d-3ubr

Cross-site Scripting The debug handler in Symfony has an XSS via an array key during exception pretty printing in `ExceptionHandler.php`, as demonstrated by a `/_debugbar/open?op`=get` URI.

CVE-2017-18343

VCID-t2dx-5us4-mkf1

Cross-Site Request Forgery (CSRF) The current implementation of CSRF protection in Symfony does not use different tokens for HTTP and HTTPS.

CVE-2017-16653
GHSA-92x6-h2gr-8gxq

VCID-vpsz-zhhq-xfbw

An attacker can navigate to arbitrary directories via the dot-dot-slash attack This package includes various bundle readers that are used to read resource bundles from the local filesystem. The `read()` methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a `URL` parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack.

CVE-2017-16654
GHSA-c49r-8gj6-768r

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:27:34.835775+00:00	Debian Importer	Fixing	VCID-vpsz-zhhq-xfbw	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:16:12.238855+00:00	Debian Importer	Fixing	VCID-hxhq-zdyu-dudz	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:27:55.684350+00:00	Debian Importer	Fixing	VCID-mm7e-kb6c-vucx	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:12:10.044061+00:00	Debian Importer	Fixing	VCID-skth-cf6d-3ubr	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:52:24.497044+00:00	Debian Importer	Fixing	VCID-t2dx-5us4-mkf1	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:31:44.009447+00:00	Debian Importer	Fixing	VCID-vpsz-zhhq-xfbw	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:39:56.411071+00:00	Debian Importer	Fixing	VCID-hxhq-zdyu-dudz	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:18:45.733458+00:00	Debian Importer	Fixing	VCID-mm7e-kb6c-vucx	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:09:28.590499+00:00	Debian Importer	Fixing	VCID-skth-cf6d-3ubr	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:57:27.432547+00:00	Debian Importer	Fixing	VCID-t2dx-5us4-mkf1	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:53:41.663296+00:00	Debian Importer	Fixing	VCID-skth-cf6d-3ubr	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:53:41.622601+00:00	Debian Importer	Fixing	VCID-hxhq-zdyu-dudz	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:53:41.578464+00:00	Debian Importer	Fixing	VCID-vpsz-zhhq-xfbw	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:53:41.537129+00:00	Debian Importer	Fixing	VCID-t2dx-5us4-mkf1	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:53:41.495868+00:00	Debian Importer	Fixing	VCID-mm7e-kb6c-vucx	https://security-tracker.debian.org/tracker/data/json	38.1.0