| 0 |
|
| 1 |
| url |
VCID-37et-21qw-skd7 |
| vulnerability_id |
VCID-37et-21qw-skd7 |
| summary |
Improper Input Validation
If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-18888, GHSA-xhh6-956q-4q69
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-37et-21qw-skd7 |
|
| 2 |
| url |
VCID-3qct-gbgt-kkbb |
| vulnerability_id |
VCID-3qct-gbgt-kkbb |
| summary |
Cross-site Scripting
The debug handler in Symfony has an XSS via an array key during exception pretty printing in `ExceptionHandler.php`, as demonstrated by a `/_debugbar/open?op`=get` URI. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@2.7.33 |
| purl |
pkg:composer/symfony/symfony@2.7.33 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1y96-v19f-tkgg |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 4 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 5 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 6 |
| vulnerability |
VCID-djnm-e9r4-c3f5 |
|
| 7 |
| vulnerability |
VCID-dsbx-q641-4fc7 |
|
| 8 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 9 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 10 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 11 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 12 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 13 |
| vulnerability |
VCID-xdtu-22ad-63aq |
|
| 14 |
| vulnerability |
VCID-xj13-fspe-hfgv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.33 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@2.8.26 |
| purl |
pkg:composer/symfony/symfony@2.8.26 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1y96-v19f-tkgg |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 4 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 5 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 6 |
| vulnerability |
VCID-djnm-e9r4-c3f5 |
|
| 7 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 8 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 9 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 10 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 11 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 12 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 13 |
| vulnerability |
VCID-tx26-92jc-rkff |
|
| 14 |
| vulnerability |
VCID-uuk9-e5qy-rfgf |
|
| 15 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 16 |
| vulnerability |
VCID-xdtu-22ad-63aq |
|
| 17 |
| vulnerability |
VCID-xj13-fspe-hfgv |
|
| 18 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.26 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@3.2.13 |
| purl |
pkg:composer/symfony/symfony@3.2.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 3 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 4 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 5 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 6 |
| vulnerability |
VCID-djnm-e9r4-c3f5 |
|
| 7 |
| vulnerability |
VCID-dsbx-q641-4fc7 |
|
| 8 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 9 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 10 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 11 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 12 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 13 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 14 |
| vulnerability |
VCID-tx26-92jc-rkff |
|
| 15 |
| vulnerability |
VCID-uuk9-e5qy-rfgf |
|
| 16 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 17 |
| vulnerability |
VCID-xdtu-22ad-63aq |
|
| 18 |
| vulnerability |
VCID-xj13-fspe-hfgv |
|
| 19 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.13 |
|
| 3 |
| url |
pkg:composer/symfony/symfony@3.3.6 |
| purl |
pkg:composer/symfony/symfony@3.3.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1y96-v19f-tkgg |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 5 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 6 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 7 |
| vulnerability |
VCID-djnm-e9r4-c3f5 |
|
| 8 |
| vulnerability |
VCID-dsbx-q641-4fc7 |
|
| 9 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 10 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 11 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 12 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 13 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 14 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 15 |
| vulnerability |
VCID-tx26-92jc-rkff |
|
| 16 |
| vulnerability |
VCID-uuk9-e5qy-rfgf |
|
| 17 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 18 |
| vulnerability |
VCID-xdtu-22ad-63aq |
|
| 19 |
| vulnerability |
VCID-xj13-fspe-hfgv |
|
| 20 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.6 |
|
|
| aliases |
CVE-2017-18343
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3qct-gbgt-kkbb |
|
| 3 |
| url |
VCID-5pmg-t1rb-wbd4 |
| vulnerability_id |
VCID-5pmg-t1rb-wbd4 |
| summary |
Unsafe methods in the Request class
The `Symfony\Component\HttpFoundation\Request` class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. The following methods are impacted: `getPort()`, `isSecure()`, `getHost()` and `getClientIps()`. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2015-2309, GHSA-p684-f7fh-jv2j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5pmg-t1rb-wbd4 |
|
| 4 |
| url |
VCID-8bg3-r2zm-kfht |
| vulnerability_id |
VCID-8bg3-r2zm-kfht |
| summary |
Code Injection
Symfony, when the internal routes configuration is enabled, allows remote attackers to access arbitrary services via vectors involving a URI beginning with a `/_internal` substring. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@2.1.5 |
| purl |
pkg:composer/symfony/symfony@2.1.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kf8-ugvv-tbb8 |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3qct-gbgt-kkbb |
|
| 3 |
| vulnerability |
VCID-5pmg-t1rb-wbd4 |
|
| 4 |
| vulnerability |
VCID-bktf-ejbt-2fds |
|
| 5 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 6 |
| vulnerability |
VCID-emn6-zmp1-yuhr |
|
| 7 |
| vulnerability |
VCID-hs5u-r1jg-tub5 |
|
| 8 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 9 |
| vulnerability |
VCID-p131-pv18-ykht |
|
| 10 |
| vulnerability |
VCID-pxwk-7vcf-m7f5 |
|
| 11 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 12 |
| vulnerability |
VCID-rkap-39hu-abe9 |
|
| 13 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 14 |
| vulnerability |
VCID-wdz4-hfer-1ud1 |
|
| 15 |
| vulnerability |
VCID-x4nv-gvag-7qf2 |
|
| 16 |
| vulnerability |
VCID-x999-2wb8-s3ec |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.1.5 |
|
|
| aliases |
CVE-2012-6432, GHSA-89cp-fvcc-hxh7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8bg3-r2zm-kfht |
|
| 5 |
|
| 6 |
| url |
VCID-ef86-hqv4-6kaz |
| vulnerability_id |
VCID-ef86-hqv4-6kaz |
| summary |
Cross-Site Request Forgery (CSRF)
By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the `invalidate_session` option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@3.3.17 |
| purl |
pkg:composer/symfony/symfony@3.3.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1y96-v19f-tkgg |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 5 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 6 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 7 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 8 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 9 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 10 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 11 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 12 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 13 |
| vulnerability |
VCID-tx26-92jc-rkff |
|
| 14 |
| vulnerability |
VCID-uuk9-e5qy-rfgf |
|
| 15 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 16 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.17 |
|
| 3 |
|
| 4 |
|
|
| aliases |
CVE-2018-11406, GHSA-g4g7-q726-v5hg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ef86-hqv4-6kaz |
|
| 7 |
| url |
VCID-emn6-zmp1-yuhr |
| vulnerability_id |
VCID-emn6-zmp1-yuhr |
| summary |
Information Exporure
`Request::getHost()` poisoning vulnerability in Symfony. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@2.1.12 |
| purl |
pkg:composer/symfony/symfony@2.1.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kf8-ugvv-tbb8 |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3qct-gbgt-kkbb |
|
| 3 |
| vulnerability |
VCID-5pmg-t1rb-wbd4 |
|
| 4 |
| vulnerability |
VCID-bktf-ejbt-2fds |
|
| 5 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 6 |
| vulnerability |
VCID-hs5u-r1jg-tub5 |
|
| 7 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 8 |
| vulnerability |
VCID-p131-pv18-ykht |
|
| 9 |
| vulnerability |
VCID-pxwk-7vcf-m7f5 |
|
| 10 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 11 |
| vulnerability |
VCID-rkap-39hu-abe9 |
|
| 12 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 13 |
| vulnerability |
VCID-wdz4-hfer-1ud1 |
|
| 14 |
| vulnerability |
VCID-x4nv-gvag-7qf2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.1.12 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@2.2.5 |
| purl |
pkg:composer/symfony/symfony@2.2.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kf8-ugvv-tbb8 |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3qct-gbgt-kkbb |
|
| 3 |
| vulnerability |
VCID-5pmg-t1rb-wbd4 |
|
| 4 |
| vulnerability |
VCID-bktf-ejbt-2fds |
|
| 5 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 6 |
| vulnerability |
VCID-hs5u-r1jg-tub5 |
|
| 7 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 8 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 9 |
| vulnerability |
VCID-p131-pv18-ykht |
|
| 10 |
| vulnerability |
VCID-pxwk-7vcf-m7f5 |
|
| 11 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 12 |
| vulnerability |
VCID-rkap-39hu-abe9 |
|
| 13 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 14 |
| vulnerability |
VCID-wdz4-hfer-1ud1 |
|
| 15 |
| vulnerability |
VCID-x4nv-gvag-7qf2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.2.5 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@2.3.3 |
| purl |
pkg:composer/symfony/symfony@2.3.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kf8-ugvv-tbb8 |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3qct-gbgt-kkbb |
|
| 3 |
| vulnerability |
VCID-5pmg-t1rb-wbd4 |
|
| 4 |
| vulnerability |
VCID-bktf-ejbt-2fds |
|
| 5 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 6 |
| vulnerability |
VCID-gjuz-mjah-e3bj |
|
| 7 |
| vulnerability |
VCID-hs5u-r1jg-tub5 |
|
| 8 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 9 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 10 |
| vulnerability |
VCID-p131-pv18-ykht |
|
| 11 |
| vulnerability |
VCID-pxwk-7vcf-m7f5 |
|
| 12 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 13 |
| vulnerability |
VCID-rkap-39hu-abe9 |
|
| 14 |
| vulnerability |
VCID-ty9b-xe8v-r7ag |
|
| 15 |
| vulnerability |
VCID-uk5a-g7em-gygd |
|
| 16 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 17 |
| vulnerability |
VCID-wdz4-hfer-1ud1 |
|
| 18 |
| vulnerability |
VCID-x4nv-gvag-7qf2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.3.3 |
|
|
| aliases |
CVE-2013-4752, GHSA-22pv-7v9j-hqxp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-emn6-zmp1-yuhr |
|
| 8 |
|
| 9 |
| url |
VCID-nsuz-7sdv-abef |
| vulnerability_id |
VCID-nsuz-7sdv-abef |
| summary |
Insufficient Session Expiration
The `PDOSessionHandler` class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@3.3.17 |
| purl |
pkg:composer/symfony/symfony@3.3.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1y96-v19f-tkgg |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 5 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 6 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 7 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 8 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 9 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 10 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 11 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 12 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 13 |
| vulnerability |
VCID-tx26-92jc-rkff |
|
| 14 |
| vulnerability |
VCID-uuk9-e5qy-rfgf |
|
| 15 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 16 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.17 |
|
| 3 |
|
| 4 |
|
|
| aliases |
CVE-2018-11386, GHSA-r2rq-3h56-fqm4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nsuz-7sdv-abef |
|
| 10 |
|
| 11 |
|
| 12 |
| url |
VCID-qqd1-smb1-sbe8 |
| vulnerability_id |
VCID-qqd1-smb1-sbe8 |
| summary |
URL Rewrite vulnerability
An issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects `\Symfony\Component\HttpFoundation\Request::prepareRequestUri()` where `X-Original-URL` and `X_REWRITE_URL` are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2018-14773, GHSA-8wgj-6wx8-h5hq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qqd1-smb1-sbe8 |
|
| 13 |
| url |
VCID-rkap-39hu-abe9 |
| vulnerability_id |
VCID-rkap-39hu-abe9 |
| summary |
Uncontrolled Resource Consumption
The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@2.2.9 |
| purl |
pkg:composer/symfony/symfony@2.2.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kf8-ugvv-tbb8 |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3qct-gbgt-kkbb |
|
| 3 |
| vulnerability |
VCID-5pmg-t1rb-wbd4 |
|
| 4 |
| vulnerability |
VCID-bktf-ejbt-2fds |
|
| 5 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 6 |
| vulnerability |
VCID-hs5u-r1jg-tub5 |
|
| 7 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 8 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 9 |
| vulnerability |
VCID-p131-pv18-ykht |
|
| 10 |
| vulnerability |
VCID-pxwk-7vcf-m7f5 |
|
| 11 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 12 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 13 |
| vulnerability |
VCID-wdz4-hfer-1ud1 |
|
| 14 |
| vulnerability |
VCID-x4nv-gvag-7qf2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.2.9 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@2.3.6 |
| purl |
pkg:composer/symfony/symfony@2.3.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kf8-ugvv-tbb8 |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3qct-gbgt-kkbb |
|
| 3 |
| vulnerability |
VCID-5pmg-t1rb-wbd4 |
|
| 4 |
| vulnerability |
VCID-bktf-ejbt-2fds |
|
| 5 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 6 |
| vulnerability |
VCID-gjuz-mjah-e3bj |
|
| 7 |
| vulnerability |
VCID-hs5u-r1jg-tub5 |
|
| 8 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 9 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 10 |
| vulnerability |
VCID-p131-pv18-ykht |
|
| 11 |
| vulnerability |
VCID-pxwk-7vcf-m7f5 |
|
| 12 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 13 |
| vulnerability |
VCID-ty9b-xe8v-r7ag |
|
| 14 |
| vulnerability |
VCID-uk5a-g7em-gygd |
|
| 15 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 16 |
| vulnerability |
VCID-wdz4-hfer-1ud1 |
|
| 17 |
| vulnerability |
VCID-x4nv-gvag-7qf2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.3.6 |
|
|
| aliases |
CVE-2013-5958, GHSA-cr49-fx2v-9p57
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rkap-39hu-abe9 |
|
| 14 |
| url |
VCID-va3n-eg8b-guff |
| vulnerability_id |
VCID-va3n-eg8b-guff |
| summary |
Information Exposure
Request::getClientIp() when the trust proxy mode is enabled. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@2.1.4 |
| purl |
pkg:composer/symfony/symfony@2.1.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kf8-ugvv-tbb8 |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3qct-gbgt-kkbb |
|
| 3 |
| vulnerability |
VCID-5pmg-t1rb-wbd4 |
|
| 4 |
| vulnerability |
VCID-8bg3-r2zm-kfht |
|
| 5 |
| vulnerability |
VCID-bktf-ejbt-2fds |
|
| 6 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 7 |
| vulnerability |
VCID-emn6-zmp1-yuhr |
|
| 8 |
| vulnerability |
VCID-hs5u-r1jg-tub5 |
|
| 9 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 10 |
| vulnerability |
VCID-p131-pv18-ykht |
|
| 11 |
| vulnerability |
VCID-pxwk-7vcf-m7f5 |
|
| 12 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 13 |
| vulnerability |
VCID-rkap-39hu-abe9 |
|
| 14 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 15 |
| vulnerability |
VCID-wdz4-hfer-1ud1 |
|
| 16 |
| vulnerability |
VCID-x4nv-gvag-7qf2 |
|
| 17 |
| vulnerability |
VCID-x999-2wb8-s3ec |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.1.4 |
|
|
| aliases |
GMS-2012-14
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-va3n-eg8b-guff |
|
| 15 |
| url |
VCID-vyug-krcw-jyef |
| vulnerability_id |
VCID-vyug-krcw-jyef |
| summary |
Session Fixation
A session fixation vulnerability within the `Guard` login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@3.3.17 |
| purl |
pkg:composer/symfony/symfony@3.3.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1y96-v19f-tkgg |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3kvp-hnpd-gbcq |
|
| 4 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 5 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 6 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 7 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 8 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 9 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 10 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 11 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 12 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 13 |
| vulnerability |
VCID-tx26-92jc-rkff |
|
| 14 |
| vulnerability |
VCID-uuk9-e5qy-rfgf |
|
| 15 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 16 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.17 |
|
| 3 |
|
| 4 |
|
|
| aliases |
CVE-2018-11385, GHSA-g4rg-rw65-8hfg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vyug-krcw-jyef |
|
| 16 |
| url |
VCID-wdz4-hfer-1ud1 |
| vulnerability_id |
VCID-wdz4-hfer-1ud1 |
| summary |
Esi Code Injection
Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache` class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2015-2308, GHSA-5c58-w9xc-qcj9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wdz4-hfer-1ud1 |
|
| 17 |
| url |
VCID-x4nv-gvag-7qf2 |
| vulnerability_id |
VCID-x4nv-gvag-7qf2 |
| summary |
CVE-2016-4423: Large username storage in session
The attemptAuthentication function in `Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php` does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@2.7.13 |
| purl |
pkg:composer/symfony/symfony@2.7.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1y96-v19f-tkgg |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3qct-gbgt-kkbb |
|
| 4 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 5 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 6 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 7 |
| vulnerability |
VCID-djnm-e9r4-c3f5 |
|
| 8 |
| vulnerability |
VCID-dsbx-q641-4fc7 |
|
| 9 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 10 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 11 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 12 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 13 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 14 |
| vulnerability |
VCID-xdtu-22ad-63aq |
|
| 15 |
| vulnerability |
VCID-xj13-fspe-hfgv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.13 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@2.8.6 |
| purl |
pkg:composer/symfony/symfony@2.8.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1y96-v19f-tkgg |
|
| 1 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 2 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 3 |
| vulnerability |
VCID-3qct-gbgt-kkbb |
|
| 4 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 5 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 6 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 7 |
| vulnerability |
VCID-djnm-e9r4-c3f5 |
|
| 8 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 9 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 10 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 11 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 12 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 13 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 14 |
| vulnerability |
VCID-tx26-92jc-rkff |
|
| 15 |
| vulnerability |
VCID-uuk9-e5qy-rfgf |
|
| 16 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 17 |
| vulnerability |
VCID-xdtu-22ad-63aq |
|
| 18 |
| vulnerability |
VCID-xj13-fspe-hfgv |
|
| 19 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.6 |
|
| 3 |
| url |
pkg:composer/symfony/symfony@3.0.6 |
| purl |
pkg:composer/symfony/symfony@3.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-23hr-yznx-c3fb |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3qct-gbgt-kkbb |
|
| 3 |
| vulnerability |
VCID-6c6t-kmb3-2qcm |
|
| 4 |
| vulnerability |
VCID-7m45-bvbn-4qd3 |
|
| 5 |
| vulnerability |
VCID-awma-bc9f-kfe2 |
|
| 6 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 7 |
| vulnerability |
VCID-frbz-vpfe-vbh9 |
|
| 8 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 9 |
| vulnerability |
VCID-mew1-9shg-mugs |
|
| 10 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 11 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 12 |
| vulnerability |
VCID-tx26-92jc-rkff |
|
| 13 |
| vulnerability |
VCID-uuk9-e5qy-rfgf |
|
| 14 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 15 |
| vulnerability |
VCID-zeut-9wfp-q7et |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.0.6 |
|
|
| aliases |
CVE-2016-4423, GHSA-whgv-8cg3-7hcm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x4nv-gvag-7qf2 |
|
| 18 |
| url |
VCID-x999-2wb8-s3ec |
| vulnerability_id |
VCID-x999-2wb8-s3ec |
| summary |
Improper Input Validation
`php-symfony2-Validator` suffers from a loss of information during serialization. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/symfony/symfony@2.1.12 |
| purl |
pkg:composer/symfony/symfony@2.1.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kf8-ugvv-tbb8 |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3qct-gbgt-kkbb |
|
| 3 |
| vulnerability |
VCID-5pmg-t1rb-wbd4 |
|
| 4 |
| vulnerability |
VCID-bktf-ejbt-2fds |
|
| 5 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 6 |
| vulnerability |
VCID-hs5u-r1jg-tub5 |
|
| 7 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 8 |
| vulnerability |
VCID-p131-pv18-ykht |
|
| 9 |
| vulnerability |
VCID-pxwk-7vcf-m7f5 |
|
| 10 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 11 |
| vulnerability |
VCID-rkap-39hu-abe9 |
|
| 12 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 13 |
| vulnerability |
VCID-wdz4-hfer-1ud1 |
|
| 14 |
| vulnerability |
VCID-x4nv-gvag-7qf2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.1.12 |
|
| 1 |
| url |
pkg:composer/symfony/symfony@2.2.5 |
| purl |
pkg:composer/symfony/symfony@2.2.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kf8-ugvv-tbb8 |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3qct-gbgt-kkbb |
|
| 3 |
| vulnerability |
VCID-5pmg-t1rb-wbd4 |
|
| 4 |
| vulnerability |
VCID-bktf-ejbt-2fds |
|
| 5 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 6 |
| vulnerability |
VCID-hs5u-r1jg-tub5 |
|
| 7 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 8 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 9 |
| vulnerability |
VCID-p131-pv18-ykht |
|
| 10 |
| vulnerability |
VCID-pxwk-7vcf-m7f5 |
|
| 11 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 12 |
| vulnerability |
VCID-rkap-39hu-abe9 |
|
| 13 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 14 |
| vulnerability |
VCID-wdz4-hfer-1ud1 |
|
| 15 |
| vulnerability |
VCID-x4nv-gvag-7qf2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.2.5 |
|
| 2 |
| url |
pkg:composer/symfony/symfony@2.3.3 |
| purl |
pkg:composer/symfony/symfony@2.3.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2kf8-ugvv-tbb8 |
|
| 1 |
| vulnerability |
VCID-37et-21qw-skd7 |
|
| 2 |
| vulnerability |
VCID-3qct-gbgt-kkbb |
|
| 3 |
| vulnerability |
VCID-5pmg-t1rb-wbd4 |
|
| 4 |
| vulnerability |
VCID-bktf-ejbt-2fds |
|
| 5 |
| vulnerability |
VCID-ef86-hqv4-6kaz |
|
| 6 |
| vulnerability |
VCID-gjuz-mjah-e3bj |
|
| 7 |
| vulnerability |
VCID-hs5u-r1jg-tub5 |
|
| 8 |
| vulnerability |
VCID-jqh6-rwsw-73bs |
|
| 9 |
| vulnerability |
VCID-nsuz-7sdv-abef |
|
| 10 |
| vulnerability |
VCID-p131-pv18-ykht |
|
| 11 |
| vulnerability |
VCID-pxwk-7vcf-m7f5 |
|
| 12 |
| vulnerability |
VCID-qqd1-smb1-sbe8 |
|
| 13 |
| vulnerability |
VCID-rkap-39hu-abe9 |
|
| 14 |
| vulnerability |
VCID-ty9b-xe8v-r7ag |
|
| 15 |
| vulnerability |
VCID-uk5a-g7em-gygd |
|
| 16 |
| vulnerability |
VCID-vyug-krcw-jyef |
|
| 17 |
| vulnerability |
VCID-wdz4-hfer-1ud1 |
|
| 18 |
| vulnerability |
VCID-x4nv-gvag-7qf2 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.3.3 |
|
|
| aliases |
CVE-2013-4751, GHSA-q8j7-fjh7-25v5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x999-2wb8-s3ec |
|