{"url":"http://public2.vulnerablecode.io/api/packages/29033?format=json","purl":"pkg:composer/symfony/symfony@3.2.0-alpha0","type":"composer","namespace":"symfony","name":"symfony","version":"3.2.0-alpha0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.4.51","latest_non_vulnerable_version":"8.0.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9724?format=json","vulnerability_id":"VCID-hxhq-zdyu-dudz","summary":"Attacker can read all files content on the server\nWhen a form is submitted by the user, the request handler classes of the Form component merge POST data (known as the `$_POST` array in plain PHP) and uploaded files data (known as the `$_FILES` array in plain PHP) into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. A user can send a crafted HTTP request where the value of a `FileType` is sent as normal `POST` data that could be interpreted as a locale file path on the server-side (for example, `file:///etc/passwd`). If the application did not perform any additional checks about the value submitted to the `FileType`, the contents of the given file on the server could have been exposed to the attacker.","references":[{"reference_url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790","reference_id":"","reference_type":"","scores":[],"url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16790","reference_id":"","reference_type":"","scores":[{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71678","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71829","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.718","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71834","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71801","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71768","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71782","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71777","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71772","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71723","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71741","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71735","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71709","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71726","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71702","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71691","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71654","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.7166","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00686","scoring_system":"epss","scoring_elements":"0.71651","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16790"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2403","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2403"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11385","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11385"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11386","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11386"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11406","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11406"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/form/CVE-2017-16790.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/form/CVE-2017-16790.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16790.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16790.yaml"},{"reference_url":"https://github.com/symfony/form","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/symfony/form"},{"reference_url":"https://github.com/symfony/symfony/pull/24993","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/symfony/symfony/pull/24993"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16790","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16790"},{"reference_url":"https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files"},{"reference_url":"https://symfony.com/cve-2017-16790","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/cve-2017-16790"},{"reference_url":"https://www.debian.org/security/2018/dsa-4262","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4262"},{"reference_url":"http://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files","reference_id":"CVE-2017-16790-ENSURE-THAT-SUBMITTED-DATA-ARE-UPLOADED-FILES","reference_type":"","scores":[],"url":"http://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files"},{"reference_url":"https://github.com/advisories/GHSA-cqqh-94r6-wjrg","reference_id":"GHSA-cqqh-94r6-wjrg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cqqh-94r6-wjrg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29039?format=json","purl":"pkg:composer/symfony/symfony@3.2.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-27sw-43vt-ukh3"},{"vulnerability":"VCID-2hua-7wbd-tqbx"},{"vulnerability":"VCID-3uu1-kftu-nbhd"},{"vulnerability":"VCID-4mkw-tv16-jyca"},{"vulnerability":"VCID-4num-z8cg-83gt"},{"vulnerability":"VCID-556v-rym3-6yax"},{"vulnerability":"VCID-636u-5bdw-puh4"},{"vulnerability":"VCID-71vh-7wte-kfcx"},{"vulnerability":"VCID-7sm1-74du-47gc"},{"vulnerability":"VCID-9bzz-84cq-ykh2"},{"vulnerability":"VCID-9rsx-fscb-6fh3"},{"vulnerability":"VCID-bdhj-np35-sybt"},{"vulnerability":"VCID-bhfu-7788-fbhc"},{"vulnerability":"VCID-bpkv-qrmp-huac"},{"vulnerability":"VCID-c8ar-82sr-fqej"},{"vulnerability":"VCID-dqaj-qmbd-cya1"},{"vulnerability":"VCID-e71e-d4tr-wqgz"},{"vulnerability":"VCID-guzg-x6nu-pygu"},{"vulnerability":"VCID-jdsd-3vnz-uygn"},{"vulnerability":"VCID-k8zb-z9em-vqgm"},{"vulnerability":"VCID-kgu6-gj5d-7bfx"},{"vulnerability":"VCID-p1dw-w76f-gbfv"},{"vulnerability":"VCID-qwcj-hq3g-2qd7"},{"vulnerability":"VCID-rgh3-ef8t-k3ec"},{"vulnerability":"VCID-thtp-ehsj-t3ej"},{"vulnerability":"VCID-v81g-hqja-hue2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.14"},{"url":"http://public2.vulnerablecode.io/api/packages/29040?format=json","purl":"pkg:composer/symfony/symfony@3.3.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-27sw-43vt-ukh3"},{"vulnerability":"VCID-2hua-7wbd-tqbx"},{"vulnerability":"VCID-3uu1-kftu-nbhd"},{"vulnerability":"VCID-4mkw-tv16-jyca"},{"vulnerability":"VCID-4num-z8cg-83gt"},{"vulnerability":"VCID-556v-rym3-6yax"},{"vulnerability":"VCID-636u-5bdw-puh4"},{"vulnerability":"VCID-71vh-7wte-kfcx"},{"vulnerability":"VCID-7sm1-74du-47gc"},{"vulnerability":"VCID-9bzz-84cq-ykh2"},{"vulnerability":"VCID-9rsx-fscb-6fh3"},{"vulnerability":"VCID-bdhj-np35-sybt"},{"vulnerability":"VCID-bhfu-7788-fbhc"},{"vulnerability":"VCID-bpkv-qrmp-huac"},{"vulnerability":"VCID-c8ar-82sr-fqej"},{"vulnerability":"VCID-dqaj-qmbd-cya1"},{"vulnerability":"VCID-e71e-d4tr-wqgz"},{"vulnerability":"VCID-guzg-x6nu-pygu"},{"vulnerability":"VCID-jdsd-3vnz-uygn"},{"vulnerability":"VCID-k8zb-z9em-vqgm"},{"vulnerability":"VCID-kgu6-gj5d-7bfx"},{"vulnerability":"VCID-p1dw-w76f-gbfv"},{"vulnerability":"VCID-qwcj-hq3g-2qd7"},{"vulnerability":"VCID-rgh3-ef8t-k3ec"},{"vulnerability":"VCID-thtp-ehsj-t3ej"},{"vulnerability":"VCID-v81g-hqja-hue2"},{"vulnerability":"VCID-z2r1-8bdp-w7f5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.13"},{"url":"http://public2.vulnerablecode.io/api/packages/29041?format=json","purl":"pkg:composer/symfony/symfony@3.4.0-BETA5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.0-BETA5"},{"url":"http://public2.vulnerablecode.io/api/packages/29042?format=json","purl":"pkg:composer/symfony/symfony@4.0.0-BETA5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.0-BETA5"}],"aliases":["CVE-2017-16790","GHSA-cqqh-94r6-wjrg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hxhq-zdyu-dudz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9446?format=json","vulnerability_id":"VCID-mm7e-kb6c-vucx","summary":"`DefaultAuthenticationSuccessHandler` or `DefaultAuthenticationFailureHandler` take the content of the `_target_path` parameter and generate a redirect response but no check is performed on the path, which could be an absolute URL to an external domain, opening redirect vulnerability. Open redirect vulnerability are not too much considered but they can be exploited for example to mount effective phishing attacks.","references":[{"reference_url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652","reference_id":"","reference_type":"","scores":[],"url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16652","reference_id":"","reference_type":"","scores":[{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.4459","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44745","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44826","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44847","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44788","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.4484","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44843","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.4486","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44828","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.4483","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44884","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44877","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.4481","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44724","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44731","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44653","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44538","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44608","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44623","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44561","published_at":"2026-05-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16652"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2403","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2403"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11385","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11385"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11386","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11386"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11406","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11406"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2017-16652.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2017-16652.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2017-16652.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2017-16652.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16652.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16652.yaml"},{"reference_url":"https://github.com/symfony/symfony","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/symfony/symfony"},{"reference_url":"https://github.com/symfony/symfony/pull/24995","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/symfony/symfony/pull/24995"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16652","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:P/I:P/A:N"},{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16652"},{"reference_url":"https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"},{"reference_url":"https://symfony.com/cve-2017-16652","reference_id":"CVE-2017-16652","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/cve-2017-16652"},{"reference_url":"http://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers","reference_id":"CVE-2017-16652-OPEN-REDIRECT-VULNERABILITY-ON-SECURITY-HANDLERS","reference_type":"","scores":[],"url":"http://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers"},{"reference_url":"https://github.com/advisories/GHSA-r7p7-qr7p-2rrf","reference_id":"GHSA-r7p7-qr7p-2rrf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r7p7-qr7p-2rrf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29039?format=json","purl":"pkg:composer/symfony/symfony@3.2.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-27sw-43vt-ukh3"},{"vulnerability":"VCID-2hua-7wbd-tqbx"},{"vulnerability":"VCID-3uu1-kftu-nbhd"},{"vulnerability":"VCID-4mkw-tv16-jyca"},{"vulnerability":"VCID-4num-z8cg-83gt"},{"vulnerability":"VCID-556v-rym3-6yax"},{"vulnerability":"VCID-636u-5bdw-puh4"},{"vulnerability":"VCID-71vh-7wte-kfcx"},{"vulnerability":"VCID-7sm1-74du-47gc"},{"vulnerability":"VCID-9bzz-84cq-ykh2"},{"vulnerability":"VCID-9rsx-fscb-6fh3"},{"vulnerability":"VCID-bdhj-np35-sybt"},{"vulnerability":"VCID-bhfu-7788-fbhc"},{"vulnerability":"VCID-bpkv-qrmp-huac"},{"vulnerability":"VCID-c8ar-82sr-fqej"},{"vulnerability":"VCID-dqaj-qmbd-cya1"},{"vulnerability":"VCID-e71e-d4tr-wqgz"},{"vulnerability":"VCID-guzg-x6nu-pygu"},{"vulnerability":"VCID-jdsd-3vnz-uygn"},{"vulnerability":"VCID-k8zb-z9em-vqgm"},{"vulnerability":"VCID-kgu6-gj5d-7bfx"},{"vulnerability":"VCID-p1dw-w76f-gbfv"},{"vulnerability":"VCID-qwcj-hq3g-2qd7"},{"vulnerability":"VCID-rgh3-ef8t-k3ec"},{"vulnerability":"VCID-thtp-ehsj-t3ej"},{"vulnerability":"VCID-v81g-hqja-hue2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.14"},{"url":"http://public2.vulnerablecode.io/api/packages/29040?format=json","purl":"pkg:composer/symfony/symfony@3.3.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-27sw-43vt-ukh3"},{"vulnerability":"VCID-2hua-7wbd-tqbx"},{"vulnerability":"VCID-3uu1-kftu-nbhd"},{"vulnerability":"VCID-4mkw-tv16-jyca"},{"vulnerability":"VCID-4num-z8cg-83gt"},{"vulnerability":"VCID-556v-rym3-6yax"},{"vulnerability":"VCID-636u-5bdw-puh4"},{"vulnerability":"VCID-71vh-7wte-kfcx"},{"vulnerability":"VCID-7sm1-74du-47gc"},{"vulnerability":"VCID-9bzz-84cq-ykh2"},{"vulnerability":"VCID-9rsx-fscb-6fh3"},{"vulnerability":"VCID-bdhj-np35-sybt"},{"vulnerability":"VCID-bhfu-7788-fbhc"},{"vulnerability":"VCID-bpkv-qrmp-huac"},{"vulnerability":"VCID-c8ar-82sr-fqej"},{"vulnerability":"VCID-dqaj-qmbd-cya1"},{"vulnerability":"VCID-e71e-d4tr-wqgz"},{"vulnerability":"VCID-guzg-x6nu-pygu"},{"vulnerability":"VCID-jdsd-3vnz-uygn"},{"vulnerability":"VCID-k8zb-z9em-vqgm"},{"vulnerability":"VCID-kgu6-gj5d-7bfx"},{"vulnerability":"VCID-p1dw-w76f-gbfv"},{"vulnerability":"VCID-qwcj-hq3g-2qd7"},{"vulnerability":"VCID-rgh3-ef8t-k3ec"},{"vulnerability":"VCID-thtp-ehsj-t3ej"},{"vulnerability":"VCID-v81g-hqja-hue2"},{"vulnerability":"VCID-z2r1-8bdp-w7f5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.13"},{"url":"http://public2.vulnerablecode.io/api/packages/29041?format=json","purl":"pkg:composer/symfony/symfony@3.4.0-BETA5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.0-BETA5"},{"url":"http://public2.vulnerablecode.io/api/packages/29042?format=json","purl":"pkg:composer/symfony/symfony@4.0.0-BETA5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.0-BETA5"}],"aliases":["CVE-2017-16652","GHSA-r7p7-qr7p-2rrf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mm7e-kb6c-vucx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9723?format=json","vulnerability_id":"VCID-vpsz-zhhq-xfbw","summary":"An attacker can navigate to arbitrary directories via the dot-dot-slash attack\nThis package includes various bundle readers that are used to read resource bundles from the local filesystem. The `read()` methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a `URL` parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack.","references":[{"reference_url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654","reference_id":"","reference_type":"","scores":[],"url":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16654","reference_id":"","reference_type":"","scores":[{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67839","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67648","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67683","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67703","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67735","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67748","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67772","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67758","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67724","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67761","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67754","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67773","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67784","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67787","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67764","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67806","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67845","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00543","scoring_system":"epss","scoring_elements":"0.67814","published_at":"2026-05-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16654"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2403","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2403"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11385","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11385"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11386","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11386"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11406","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11406"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/intl/CVE-2017-16654.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/intl/CVE-2017-16654.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16654.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16654.yaml"},{"reference_url":"https://github.com/symfony/symfony","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/symfony/symfony"},{"reference_url":"https://github.com/symfony/symfony/pull/24994","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/symfony/symfony/pull/24994"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16654","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16654"},{"reference_url":"https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths"},{"reference_url":"https://symfony.com/cve-2017-16654","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/cve-2017-16654"},{"reference_url":"https://www.debian.org/security/2018/dsa-4262","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4262"},{"reference_url":"http://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths","reference_id":"CVE-2017-16654-INTL-BUNDLE-READERS-BREAKING-OUT-OF-PATHS","reference_type":"","scores":[],"url":"http://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths"},{"reference_url":"https://github.com/advisories/GHSA-c49r-8gj6-768r","reference_id":"GHSA-c49r-8gj6-768r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c49r-8gj6-768r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29039?format=json","purl":"pkg:composer/symfony/symfony@3.2.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-27sw-43vt-ukh3"},{"vulnerability":"VCID-2hua-7wbd-tqbx"},{"vulnerability":"VCID-3uu1-kftu-nbhd"},{"vulnerability":"VCID-4mkw-tv16-jyca"},{"vulnerability":"VCID-4num-z8cg-83gt"},{"vulnerability":"VCID-556v-rym3-6yax"},{"vulnerability":"VCID-636u-5bdw-puh4"},{"vulnerability":"VCID-71vh-7wte-kfcx"},{"vulnerability":"VCID-7sm1-74du-47gc"},{"vulnerability":"VCID-9bzz-84cq-ykh2"},{"vulnerability":"VCID-9rsx-fscb-6fh3"},{"vulnerability":"VCID-bdhj-np35-sybt"},{"vulnerability":"VCID-bhfu-7788-fbhc"},{"vulnerability":"VCID-bpkv-qrmp-huac"},{"vulnerability":"VCID-c8ar-82sr-fqej"},{"vulnerability":"VCID-dqaj-qmbd-cya1"},{"vulnerability":"VCID-e71e-d4tr-wqgz"},{"vulnerability":"VCID-guzg-x6nu-pygu"},{"vulnerability":"VCID-jdsd-3vnz-uygn"},{"vulnerability":"VCID-k8zb-z9em-vqgm"},{"vulnerability":"VCID-kgu6-gj5d-7bfx"},{"vulnerability":"VCID-p1dw-w76f-gbfv"},{"vulnerability":"VCID-qwcj-hq3g-2qd7"},{"vulnerability":"VCID-rgh3-ef8t-k3ec"},{"vulnerability":"VCID-thtp-ehsj-t3ej"},{"vulnerability":"VCID-v81g-hqja-hue2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.14"},{"url":"http://public2.vulnerablecode.io/api/packages/29040?format=json","purl":"pkg:composer/symfony/symfony@3.3.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-27sw-43vt-ukh3"},{"vulnerability":"VCID-2hua-7wbd-tqbx"},{"vulnerability":"VCID-3uu1-kftu-nbhd"},{"vulnerability":"VCID-4mkw-tv16-jyca"},{"vulnerability":"VCID-4num-z8cg-83gt"},{"vulnerability":"VCID-556v-rym3-6yax"},{"vulnerability":"VCID-636u-5bdw-puh4"},{"vulnerability":"VCID-71vh-7wte-kfcx"},{"vulnerability":"VCID-7sm1-74du-47gc"},{"vulnerability":"VCID-9bzz-84cq-ykh2"},{"vulnerability":"VCID-9rsx-fscb-6fh3"},{"vulnerability":"VCID-bdhj-np35-sybt"},{"vulnerability":"VCID-bhfu-7788-fbhc"},{"vulnerability":"VCID-bpkv-qrmp-huac"},{"vulnerability":"VCID-c8ar-82sr-fqej"},{"vulnerability":"VCID-dqaj-qmbd-cya1"},{"vulnerability":"VCID-e71e-d4tr-wqgz"},{"vulnerability":"VCID-guzg-x6nu-pygu"},{"vulnerability":"VCID-jdsd-3vnz-uygn"},{"vulnerability":"VCID-k8zb-z9em-vqgm"},{"vulnerability":"VCID-kgu6-gj5d-7bfx"},{"vulnerability":"VCID-p1dw-w76f-gbfv"},{"vulnerability":"VCID-qwcj-hq3g-2qd7"},{"vulnerability":"VCID-rgh3-ef8t-k3ec"},{"vulnerability":"VCID-thtp-ehsj-t3ej"},{"vulnerability":"VCID-v81g-hqja-hue2"},{"vulnerability":"VCID-z2r1-8bdp-w7f5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.13"},{"url":"http://public2.vulnerablecode.io/api/packages/29041?format=json","purl":"pkg:composer/symfony/symfony@3.4.0-BETA5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.0-BETA5"},{"url":"http://public2.vulnerablecode.io/api/packages/29042?format=json","purl":"pkg:composer/symfony/symfony@4.0.0-BETA5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.0-BETA5"}],"aliases":["CVE-2017-16654","GHSA-c49r-8gj6-768r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vpsz-zhhq-xfbw"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.0-alpha0"}