Search for packages
| purl | pkg:deb/debian/symfony@6.4.21%2Bdfsg-2%2Bdeb13u1?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1cad-s6nn-j7aw | embedded prototype.js JavaScript hijacking |
CVE-2007-2383
|
| VCID-27sw-43vt-ukh3 | Unrestricted Upload of File with Dangerous Type When using the scalar type hint `string` in a setter method (e.g. `setName(string$name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution. |
CVE-2018-19789
GHSA-x3cf-w64x-4cp2 |
| VCID-2hua-7wbd-tqbx | Insufficient Session Expiration The `PDOSessionHandler` class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. |
CVE-2018-11386
GHSA-r2rq-3h56-fqm4 |
| VCID-2ts3-y5j2-vufe | Authentication granted to all firewalls instead of just one Description ----------- When an application defines multiple firewalls, the authenticated token delivered by one of the firewalls is available to all other firewalls. This can be abused when the application defines different providers for different parts of an application. In such a situation, a user authenticated on one part of the application is considered authenticated on the whole application. Resolution ---------- We now ensure that the authenticated token is only available for the firewall that generates it. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728) for branch 5.3. Credits ------- I would like to thank Bogdan, gndk, Paweł Warchoł, Warxcell, and Adrien Lamotte for reporting the issue and Wouter J for fixing the issue. |
CVE-2021-32693
GHSA-rfcf-m67m-jcrq |
| VCID-3uu1-kftu-nbhd | SQL Injection In Symfony HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. |
CVE-2019-10913
GHSA-x92h-wmg2-6hp7 |
| VCID-4mkw-tv16-jyca | Deserialization of Untrusted Data In Symfony it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. |
CVE-2019-10912
GHSA-w2fr-65vp-mxw3 |
| VCID-4num-z8cg-83gt | Symfony vulnerable to command execution hijack on Windows with Process class ### Description On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. ### Resolution The `Process` class now uses the absolute path to `cmd.exe`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9) for branch 5.4. ### Credits We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix. |
CVE-2024-51736
GHSA-qq5c-677p-737q |
| VCID-556v-rym3-6yax | Cross-Site Request Forgery (CSRF) By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the `invalidate_session` option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. |
CVE-2018-11406
GHSA-g4g7-q726-v5hg |
| VCID-5u5z-qzg2-sbhg | Information Exposure Through Timing Discrepancy Symfony allows remote attackers to have unspecified impact via a timing attack. |
CVE-2015-8125
GHSA-g97c-jfx6-xvxh |
| VCID-636u-5bdw-puh4 | Cross-site Scripting In Symfony, validation messages are not escaped, which can lead to XSS when user input is included. |
CVE-2019-10909
GHSA-g996-q5r8-w7g2 |
| VCID-71vh-7wte-kfcx | Session Fixation A session fixation vulnerability within the `Guard` login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker. |
CVE-2018-11385
GHSA-g4rg-rw65-8hfg |
| VCID-72pa-a6sv-fyg6 | Unauthorized access on a misconfigured LDAP server There's a flaw in `LdapBindAuthenticationProvider` that allows for an unauthorized access on a misconfigured LDAP server when using an empty password. Applications are affected only if they use the LDAP authentication provider. |
CVE-2016-2403
GHSA-wvj5-r78r-hhfq |
| VCID-76y9-1jsf-rfez | Empty passwords validation issue Validating a user password with a `UserPassword` constraint but with no `NotBlank` constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a `NotBlank` constraint, but as it worked before without, it's considered as a backward compatibility break and a security issue. |
CVE-2017-11365
GHSA-q87v-q8fw-gmj5 |
| VCID-7hh3-16j3-4yaf | Symfony possible session fixation vulnerability Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in case the logged in user changes by means of checking the user identifier. In some use cases, the user identifier does not change between the verification phase and the successful login, while the token itself changes from one type (partially-authenticated) to another (fully-authenticated). When this happens, the session id should be regenerated to prevent possible session fixations, which is not the case at the moment. As of versions 5.4.31 and 6.3.8, Symfony now checks the type of the token in addition to the user identifier before deciding whether the session id should be regenerated. |
CVE-2023-46733
GHSA-m2wj-r6g3-fxfx |
| VCID-7sm1-74du-47gc | Symfony Service IDs Allow Injection In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection. |
CVE-2019-10910
GHSA-pgwj-prpq-jpc2 |
| VCID-8kq8-2mv9-s3ad | Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient ### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also. ### Credits We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix. |
CVE-2024-50342
GHSA-9c3x-r3wp-mgxm |
| VCID-9bzz-84cq-ykh2 | Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix. |
CVE-2024-50345
GHSA-mrqx-rp3w-jpjp |
| VCID-9qrr-z4mp-vyfp | User enumeration leak using switch user functionality in Symfony An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security. |
CVE-2019-18886
GHSA-4vpc-5jx4-cfqg |
| VCID-9rsx-fscb-6fh3 | Symfony Unsafe Cache Serialization Could Enable RCE An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache. |
CVE-2019-18889
GHSA-79gr-58r3-pwm3 |
| VCID-ahmf-nthw-ufaq | Cryptographic Issues The `nextBytes` function in the `SecureRandom` class in Symfony does not properly generate random numbers when used with PHP without the `paragonie/random_compat` library and the `openssl_random_pseudo_bytes` function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors. |
CVE-2016-1902
GHSA-jjx5-fq5g-8xpc |
| VCID-bdhj-np35-sybt | Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters. |
CVE-2023-46734
GHSA-q847-2q57-wmr3 |
| VCID-bhfu-7788-fbhc | URL Rewrite vulnerability An issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects `\Symfony\Component\HttpFoundation\Request::prepareRequestUri()` where `X-Original-URL` and `X_REWRITE_URL` are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning. |
CVE-2018-14773
GHSA-8wgj-6wx8-h5hq |
| VCID-bpkv-qrmp-huac | Improper Authentication In Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. |
CVE-2019-10911
GHSA-cchx-mfrc-fwqr |
| VCID-c3p1-j3qy-33cx | Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues). |
CVE-2018-12040
|
| VCID-c8ar-82sr-fqej | Symfony has an incorrect response from Validator when input ends with `\n` ### Description It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. ### Resolution Symfony now uses the `D` regex modifier to match the entire input. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f) for branch 5.4. ### Credits We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix. |
CVE-2024-50343
GHSA-g3rh-rrhp-jhh9 |
| VCID-d1kp-7aht-9qa2 | Esi Code Injection Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache` class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server. |
CVE-2015-2308
GHSA-5c58-w9xc-qcj9 |
| VCID-dqaj-qmbd-cya1 | Improper Authentication An issue was discovered in the Ldap component in Symfony. It allows remote attackers to bypass authentication by logging in with a `null` password and valid username, which triggers an unauthenticated bind. |
CVE-2018-11407
GHSA-35c5-28pg-2qg4 |
| VCID-e71e-d4tr-wqgz | Prevent user enumeration using Guard or the new Authenticator-based Security Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue. |
CVE-2021-21424
GHSA-5pv8-ppvj-4h68 |
| VCID-en6a-wp7q-fbfs | Symfony allows changing the environment through a query ### Description When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. ### Resolution The `SymfonyRuntime` now ignores the `argv` values for non-cli SAPIs PHP runtimes The patch for this issue is available [here](https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa) for branch 5.4. ### Credits We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix. |
CVE-2024-50340
GHSA-x8vp-gf4q-mw5j |
| VCID-fy39-ys3p-5ucm | Session Fixation Session fixation vulnerability in the `Remember Me` login feature in Symfony allows remote attackers to hijack web sessions via a session id. |
CVE-2015-8124
GHSA-j5jh-hpr4-h332 |
| VCID-grxm-dpcv-37d9 | Firewall configured with unanimous strategy was not actually unanimous in Symfony Description ----------- On Symfony before 4.4.0, when a `Firewall` checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if *all* calls to the `accessDecisionManager` decide to grant access. As of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as `accessDecisionManager` decide to grant access on one attribute. Resolution ---------- The `accessDecisionManager` is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf) for the 4.4 branch. Credits ------- I would like to thank Antonio J. García Lagar for reporting & Robin Chalas for fixing the issue. |
CVE-2020-5275
GHSA-g4m9-5hpf-hx72 |
| VCID-guzg-x6nu-pygu | Symfony Http-Kernel has non-constant time comparison in UriSigner When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability. |
CVE-2019-18887
GHSA-q8hg-pf8v-cxrv |
| VCID-hxhq-zdyu-dudz | Attacker can read all files content on the server When a form is submitted by the user, the request handler classes of the Form component merge POST data (known as the `$_POST` array in plain PHP) and uploaded files data (known as the `$_FILES` array in plain PHP) into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a `FileType` is sent as normal `POST` data that could be interpreted as a locale file path on the server-side (for example, `file:///etc/passwd`). If the application did not perform any additional checks about the value submitted to the `FileType`, the contents of the given file on the server could have been exposed to the attacker. |
CVE-2017-16790
GHSA-cqqh-94r6-wjrg |
| VCID-hzwd-mq3r-qfcb | Uncontrolled Resource Consumption The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750. |
CVE-2013-5958
GHSA-cr49-fx2v-9p57 |
| VCID-j2su-wjra-tbh1 | Improper Neutralization of Formula Elements in a CSV File `Symfony/Serializer` handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony is vulnerable to CSV injection, also known as formula injection. In Symfony, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list, Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. |
CVE-2021-41270
GHSA-2xhg-w2g5-w95x |
| VCID-jdsd-3vnz-uygn | Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x). |
CVE-2019-18888
GHSA-xhh6-956q-4q69 |
| VCID-k8zb-z9em-vqgm | URL Redirection to Untrusted Site (Open Redirect) The security handlers in the Security component in Symfony have an Open redirect vulnerability when `security.http_utils` is inlined by a container. |
CVE-2018-11408
GHSA-7hwc-2cq4-6x2w |
| VCID-kgu6-gj5d-7bfx | Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows ### Summary The Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mishandle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. ### Impact If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). ### Resolution Upgrade to a Symfony release that includes the fix from symfony/symfony#63164 (which updates Windows argument escaping to ensure arguments containing = and other MSYS2-sensitive characters are properly quoted/escaped). The patch for branch 5.4 is available at https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b ### Workarounds / Mitigations Avoid running PHP/your tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior. |
CVE-2026-24739
GHSA-r39x-jcww-82v6 |
| VCID-kqcd-f4vt-r7g8 | Session Fixation `Symfony/SecurityBundle` is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore. |
CVE-2021-41268
GHSA-qw36-p97w-vcqr |
| VCID-mm7e-kb6c-vucx | `DefaultAuthenticationSuccessHandler` or `DefaultAuthenticationFailureHandler` take the content of the `_target_path` parameter and generate a redirect response but no check is performed on the path, which could be an absolute URL to an external domain, opening redirect vulnerability. Open redirect vulnerability are not too much considered but they can be exploited for example to mount effective phishing attacks. |
CVE-2017-16652
GHSA-r7p7-qr7p-2rrf |
| VCID-n3d2-zwve-gbf5 | Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') `Symfony/Http-Kernel` is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the `trusted_headers` allowed list are ignored and protect users from Cache poisoning attacks. In Symfony, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the `trusted_headers` allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. |
CVE-2021-41267
GHSA-q3j3-w37x-hq2q |
| VCID-nsk8-bk5e-tbfh | CVE-2016-4423: Large username storage in session The attemptAuthentication function in `Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php` does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames. |
CVE-2016-4423
GHSA-whgv-8cg3-7hcm |
| VCID-p1dw-w76f-gbfv | Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. |
CVE-2025-64500
GHSA-3rg7-wf37-54rm |
| VCID-pdcr-fsbk-63bx | Symfony's `Security::login` does not take into account custom `user_checker` ### Description The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. ### Resolution The `Security::login` method now ensure to call the configured `user_checker`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105) for branch 6.4. ### Credits We would like to thank Oleg Andreyev, Antoine MAKDESSI for reporting the issue and Christian Flothmann for providing the fix. |
CVE-2024-50341
GHSA-jxgr-3v7q-3w9v |
| VCID-pgk7-bnxx-ckeq | Prevent cache poisoning via a Response Content-Type header in Symfony Description ----------- When a `Response` does not contain a `Content-Type` header, Symfony falls back to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one. Resolution ---------- Symfony does not use the `Accept` header anymore to guess the `Content-Type`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6) for the 4.4 branch. Credits ------- I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue. |
CVE-2020-5255
GHSA-mcx4-f5f5-4859 |
| VCID-qwcj-hq3g-2qd7 | Cross-Site Request Forgery (CSRF) Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue. |
CVE-2022-23601
GHSA-vvmr-8829-6whx |
| VCID-rgh3-ef8t-k3ec | Duplicate This advisory duplicates another. |
CVE-2022-24894
GHSA-h7vf-5wrv-9fhv GMS-2023-209 GMS-2023-212 |
| VCID-sbsb-u8u5-4bcm | Symfony has an Authentication Bypass via RememberMe ### Description When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. ### Resolution The `PersistentRememberMeHandler` class now ensures the submitted username is the cookie owner. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a) for branch 5.4. ### Credits We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix. |
CVE-2024-51996
GHSA-cg23-qf8f-62rr |
| VCID-skth-cf6d-3ubr | Cross-site Scripting The debug handler in Symfony has an XSS via an array key during exception pretty printing in `ExceptionHandler.php`, as demonstrated by a `/_debugbar/open?op`=get` URI. |
CVE-2017-18343
|
| VCID-t2dx-5us4-mkf1 | Cross-Site Request Forgery (CSRF) The current implementation of CSRF protection in Symfony does not use different tokens for HTTP and HTTPS. |
CVE-2017-16653
GHSA-92x6-h2gr-8gxq |
| VCID-tekr-xkck-pkfu | Multiple vulnerabilities in Asterisk might allow remote attackers to cause a Denial of Service condition, or conduct other attacks. |
CVE-2008-7220
|
| VCID-thtp-ehsj-t3ej | Duplicate This advisory duplicates another. |
CVE-2022-24895
GHSA-3gv2-29qc-v67m GMS-2023-210 GMS-2023-211 |
| VCID-txk7-krb1-bqd9 | RCE in Symfony Description ----------- The `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible. Resolution ---------- HTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch. Credits ------- I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue. |
CVE-2020-15094
GHSA-754h-5r27-7x3r |
| VCID-ugce-e42m-1fgj | Exceptions displayed in non-debug configurations in Symfony Description ----------- When `ErrorHandler` renders an exception HTML page, it uses un-escaped properties from the related Exception class to render the stacktrace. The security issue comes from the fact that the stacktraces were also displayed in non-`debug` environments. Resolution ---------- The `ErrorHandler` class now escapes all properties coming from the related Exception, and the stacktrace is not displayed anymore in non-`debug` environments. The patches for this issue are available [here](https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad) and [here](https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db) for branch 4.4. Credits ------- I would like to thank Luka Sikic for reporting & Yonel Ceruto and Jérémy Derussé for fixing the issue. |
CVE-2020-5274
GHSA-m884-279h-32v2 |
| VCID-up7g-6ewp-uya5 | Improper Access Control FragmentListener in the HttpKernel component in Symfony, when ESI or SSI support enabled, does not check if the `_controller` attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to `/_fragment`. |
CVE-2015-4050
GHSA-qmqw-mpqp-mr54 |
| VCID-v81g-hqja-hue2 | URL Redirection to Untrusted Site (Open Redirect) By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login. |
CVE-2018-19790
GHSA-89r2-5g34-2g47 |
| VCID-vpsz-zhhq-xfbw | An attacker can navigate to arbitrary directories via the dot-dot-slash attack This package includes various bundle readers that are used to read resource bundles from the local filesystem. The `read()` methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a `URL` parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack. |
CVE-2017-16654
GHSA-c49r-8gj6-768r |
| VCID-wd9z-d4h5-hkax | Improper Input Validation in Symfony An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter. |
CVE-2019-11325
GHSA-w4rc-rx25-8m86 |
| VCID-wwhm-mrr3-v7h3 | Unsafe methods in the Request class The `Symfony\Component\HttpFoundation\Request` class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. The following methods are impacted: `getPort()`, `isSecure()`, `getHost()` and `getClientIps()`. |
CVE-2015-2309
GHSA-p684-f7fh-jv2j |
| VCID-z2r1-8bdp-w7f5 | Improper Input Validation An issue was discovered in `HttpKernel` in Symfony When using `HttpCache`, the values of the `X-Forwarded-Host` headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection. |
CVE-2018-14774
GHSA-66p6-7p29-55p9 |
| VCID-znfv-ngqc-fudw | Cross-site scripting Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` returns unescaped user-submitted input. As of version 6.3.8, `WebhookController` now does not return any user-submitted input in its response. |
CVE-2023-46735
GHSA-72x2-5c85-6wmr |