Search for packages
| purl | pkg:deb/debian/symfony@3.4.22%2Bdfsg-2%2Bdeb10u1 |
| Next non-vulnerable version | 5.4.23+dfsg-1+deb12u5 |
| Latest non-vulnerable version | 5.4.23+dfsg-1+deb12u5 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9bzz-84cq-ykh2
Aliases: CVE-2024-50345 GHSA-mrqx-rp3w-jpjp |
Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix. |
Affected by 0 other vulnerabilities. |
|
VCID-9qrr-z4mp-vyfp
Aliases: CVE-2019-18886 GHSA-4vpc-5jx4-cfqg |
User enumeration leak using switch user functionality in Symfony An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security. |
Affected by 3 other vulnerabilities. |
|
VCID-9rsx-fscb-6fh3
Aliases: CVE-2019-18889 GHSA-79gr-58r3-pwm3 |
Symfony Unsafe Cache Serialization Could Enable RCE An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache. |
Affected by 3 other vulnerabilities. |
|
VCID-bdhj-np35-sybt
Aliases: CVE-2023-46734 GHSA-q847-2q57-wmr3 |
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters. |
Affected by 3 other vulnerabilities. |
|
VCID-c8ar-82sr-fqej
Aliases: CVE-2024-50343 GHSA-g3rh-rrhp-jhh9 |
Symfony has an incorrect response from Validator when input ends with `\n` ### Description It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. ### Resolution Symfony now uses the `D` regex modifier to match the entire input. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f) for branch 5.4. ### Credits We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix. |
Affected by 0 other vulnerabilities. |
|
VCID-e71e-d4tr-wqgz
Aliases: CVE-2021-21424 GHSA-5pv8-ppvj-4h68 |
Prevent user enumeration using Guard or the new Authenticator-based Security Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-grxm-dpcv-37d9
Aliases: CVE-2020-5275 GHSA-g4m9-5hpf-hx72 |
Firewall configured with unanimous strategy was not actually unanimous in Symfony Description ----------- On Symfony before 4.4.0, when a `Firewall` checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if *all* calls to the `accessDecisionManager` decide to grant access. As of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as `accessDecisionManager` decide to grant access on one attribute. Resolution ---------- The `accessDecisionManager` is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf) for the 4.4 branch. Credits ------- I would like to thank Antonio J. García Lagar for reporting & Robin Chalas for fixing the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-guzg-x6nu-pygu
Aliases: CVE-2019-18887 GHSA-q8hg-pf8v-cxrv |
Symfony Http-Kernel has non-constant time comparison in UriSigner When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability. |
Affected by 3 other vulnerabilities. |
|
VCID-j2su-wjra-tbh1
Aliases: CVE-2021-41270 GHSA-2xhg-w2g5-w95x |
Improper Neutralization of Formula Elements in a CSV File `Symfony/Serializer` handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony is vulnerable to CSV injection, also known as formula injection. In Symfony, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list, Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. |
Affected by 3 other vulnerabilities. |
|
VCID-jdsd-3vnz-uygn
Aliases: CVE-2019-18888 GHSA-xhh6-956q-4q69 |
Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x). |
Affected by 3 other vulnerabilities. |
|
VCID-pgk7-bnxx-ckeq
Aliases: CVE-2020-5255 GHSA-mcx4-f5f5-4859 |
Prevent cache poisoning via a Response Content-Type header in Symfony Description ----------- When a `Response` does not contain a `Content-Type` header, Symfony falls back to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one. Resolution ---------- Symfony does not use the `Accept` header anymore to guess the `Content-Type`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6) for the 4.4 branch. Credits ------- I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-rgh3-ef8t-k3ec
Aliases: CVE-2022-24894 GHSA-h7vf-5wrv-9fhv GMS-2023-209 GMS-2023-212 |
Duplicate This advisory duplicates another. |
Affected by 3 other vulnerabilities. |
|
VCID-thtp-ehsj-t3ej
Aliases: CVE-2022-24895 GHSA-3gv2-29qc-v67m GMS-2023-210 GMS-2023-211 |
Duplicate This advisory duplicates another. |
Affected by 3 other vulnerabilities. |
|
VCID-txk7-krb1-bqd9
Aliases: CVE-2020-15094 GHSA-754h-5r27-7x3r |
RCE in Symfony Description ----------- The `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible. Resolution ---------- HTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch. Credits ------- I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-ugce-e42m-1fgj
Aliases: CVE-2020-5274 GHSA-m884-279h-32v2 |
Exceptions displayed in non-debug configurations in Symfony Description ----------- When `ErrorHandler` renders an exception HTML page, it uses un-escaped properties from the related Exception class to render the stacktrace. The security issue comes from the fact that the stacktraces were also displayed in non-`debug` environments. Resolution ---------- The `ErrorHandler` class now escapes all properties coming from the related Exception, and the stacktrace is not displayed anymore in non-`debug` environments. The patches for this issue are available [here](https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad) and [here](https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db) for branch 4.4. Credits ------- I would like to thank Luka Sikic for reporting & Yonel Ceruto and Jérémy Derussé for fixing the issue. |
Affected by 3 other vulnerabilities. |
|
VCID-wd9z-d4h5-hkax
Aliases: CVE-2019-11325 GHSA-w4rc-rx25-8m86 |
Improper Input Validation in Symfony An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-27sw-43vt-ukh3 | Unrestricted Upload of File with Dangerous Type When using the scalar type hint `string` in a setter method (e.g. `setName(string$name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution. |
CVE-2018-19789
GHSA-x3cf-w64x-4cp2 |
| VCID-2hua-7wbd-tqbx | Insufficient Session Expiration The `PDOSessionHandler` class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. |
CVE-2018-11386
GHSA-r2rq-3h56-fqm4 |
| VCID-3uu1-kftu-nbhd | SQL Injection In Symfony HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. |
CVE-2019-10913
GHSA-x92h-wmg2-6hp7 |
| VCID-4mkw-tv16-jyca | Deserialization of Untrusted Data In Symfony it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. |
CVE-2019-10912
GHSA-w2fr-65vp-mxw3 |
| VCID-556v-rym3-6yax | Cross-Site Request Forgery (CSRF) By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the `invalidate_session` option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. |
CVE-2018-11406
GHSA-g4g7-q726-v5hg |
| VCID-636u-5bdw-puh4 | Cross-site Scripting In Symfony, validation messages are not escaped, which can lead to XSS when user input is included. |
CVE-2019-10909
GHSA-g996-q5r8-w7g2 |
| VCID-71vh-7wte-kfcx | Session Fixation A session fixation vulnerability within the `Guard` login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker. |
CVE-2018-11385
GHSA-g4rg-rw65-8hfg |
| VCID-7sm1-74du-47gc | Symfony Service IDs Allow Injection In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection. |
CVE-2019-10910
GHSA-pgwj-prpq-jpc2 |
| VCID-bhfu-7788-fbhc | URL Rewrite vulnerability An issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects `\Symfony\Component\HttpFoundation\Request::prepareRequestUri()` where `X-Original-URL` and `X_REWRITE_URL` are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning. |
CVE-2018-14773
GHSA-8wgj-6wx8-h5hq |
| VCID-bpkv-qrmp-huac | Improper Authentication In Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. |
CVE-2019-10911
GHSA-cchx-mfrc-fwqr |
| VCID-c3p1-j3qy-33cx | Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues). |
CVE-2018-12040
|
| VCID-dqaj-qmbd-cya1 | Improper Authentication An issue was discovered in the Ldap component in Symfony. It allows remote attackers to bypass authentication by logging in with a `null` password and valid username, which triggers an unauthenticated bind. |
CVE-2018-11407
GHSA-35c5-28pg-2qg4 |
| VCID-guzg-x6nu-pygu | Symfony Http-Kernel has non-constant time comparison in UriSigner When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability. |
CVE-2019-18887
GHSA-q8hg-pf8v-cxrv |
| VCID-hxhq-zdyu-dudz | Attacker can read all files content on the server When a form is submitted by the user, the request handler classes of the Form component merge POST data (known as the `$_POST` array in plain PHP) and uploaded files data (known as the `$_FILES` array in plain PHP) into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a `FileType` is sent as normal `POST` data that could be interpreted as a locale file path on the server-side (for example, `file:///etc/passwd`). If the application did not perform any additional checks about the value submitted to the `FileType`, the contents of the given file on the server could have been exposed to the attacker. |
CVE-2017-16790
GHSA-cqqh-94r6-wjrg |
| VCID-jdsd-3vnz-uygn | Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x). |
CVE-2019-18888
GHSA-xhh6-956q-4q69 |
| VCID-k8zb-z9em-vqgm | URL Redirection to Untrusted Site (Open Redirect) The security handlers in the Security component in Symfony have an Open redirect vulnerability when `security.http_utils` is inlined by a container. |
CVE-2018-11408
GHSA-7hwc-2cq4-6x2w |
| VCID-mm7e-kb6c-vucx | `DefaultAuthenticationSuccessHandler` or `DefaultAuthenticationFailureHandler` take the content of the `_target_path` parameter and generate a redirect response but no check is performed on the path, which could be an absolute URL to an external domain, opening redirect vulnerability. Open redirect vulnerability are not too much considered but they can be exploited for example to mount effective phishing attacks. |
CVE-2017-16652
GHSA-r7p7-qr7p-2rrf |
| VCID-skth-cf6d-3ubr | Cross-site Scripting The debug handler in Symfony has an XSS via an array key during exception pretty printing in `ExceptionHandler.php`, as demonstrated by a `/_debugbar/open?op`=get` URI. |
CVE-2017-18343
|
| VCID-t2dx-5us4-mkf1 | Cross-Site Request Forgery (CSRF) The current implementation of CSRF protection in Symfony does not use different tokens for HTTP and HTTPS. |
CVE-2017-16653
GHSA-92x6-h2gr-8gxq |
| VCID-v81g-hqja-hue2 | URL Redirection to Untrusted Site (Open Redirect) By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login. |
CVE-2018-19790
GHSA-89r2-5g34-2g47 |
| VCID-vpsz-zhhq-xfbw | An attacker can navigate to arbitrary directories via the dot-dot-slash attack This package includes various bundle readers that are used to read resource bundles from the local filesystem. The `read()` methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a `URL` parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack. |
CVE-2017-16654
GHSA-c49r-8gj6-768r |
| VCID-z2r1-8bdp-w7f5 | Improper Input Validation An issue was discovered in `HttpKernel` in Symfony When using `HttpCache`, the values of the `X-Forwarded-Host` headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection. |
CVE-2018-14774
GHSA-66p6-7p29-55p9 |