{"url":"http://public2.vulnerablecode.io/api/packages/51232?format=json","purl":"pkg:composer/symfony/symfony@2.0.0","type":"composer","namespace":"symfony","name":"symfony","version":"2.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.0.6","latest_non_vulnerable_version":"8.0.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37724?format=json","vulnerability_id":"VCID-2kf8-ugvv-tbb8","summary":"Code Injection\nCode injection in the way Symfony implements translation caching in FrameworkBundle.","references":[{"reference_url":"https://symfony.com/blog/security-releases-cve-2014-4931-symfony-2-3-18-2-4-8-and-2-5-2-released","reference_id":"","reference_type":"","scores":[],"url":"https://symfony.com/blog/security-releases-cve-2014-4931-symfony-2-3-18-2-4-8-and-2-5-2-released"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51932?format=json","purl":"pkg:composer/symfony/symfony@2.4.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mtb5-t6y4-w3eb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.4.9"},{"url":"http://public2.vulnerablecode.io/api/packages/51933?format=json","purl":"pkg:composer/symfony/symfony@2.5.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mtb5-t6y4-w3eb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.5.4"}],"aliases":["CVE-2014-4931"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2kf8-ugvv-tbb8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46379?format=json","vulnerability_id":"VCID-4f9e-eg67-cqbr","summary":"Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters\nSymfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.","references":[{"reference_url":"https://github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54"},{"reference_url":"https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46734","reference_id":"CVE-2023-46734","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46734"},{"reference_url":"https://symfony.com/cve-2023-46734","reference_id":"CVE-2023-46734","reference_type":"","scores":[],"url":"https://symfony.com/cve-2023-46734"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46734.yaml","reference_id":"CVE-2023-46734.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46734.yaml"},{"reference_url":"https://github.com/advisories/GHSA-q847-2q57-wmr3","reference_id":"GHSA-q847-2q57-wmr3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-q847-2q57-wmr3"},{"reference_url":"https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3","reference_id":"GHSA-q847-2q57-wmr3","reference_type":"","scores":[],"url":"https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67682?format=json","purl":"pkg:composer/symfony/symfony@4.4.51","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.4.51"},{"url":"http://public2.vulnerablecode.io/api/packages/67676?format=json","purl":"pkg:composer/symfony/symfony@5.4.31","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.31"},{"url":"http://public2.vulnerablecode.io/api/packages/67677?format=json","purl":"pkg:composer/symfony/symfony@6.3.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.3.8"}],"aliases":["CVE-2023-46734","GHSA-q847-2q57-wmr3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4f9e-eg67-cqbr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37476?format=json","vulnerability_id":"VCID-86ct-zv8d-d3eb","summary":"Routes behind a firewall are accessible even when not logged in\nSymfony does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.","references":[{"reference_url":"https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released","reference_id":"","reference_type":"","scores":[],"url":"https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51331?format=json","purl":"pkg:composer/symfony/symfony@2.0.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.0.19"}],"aliases":["CVE-2012-6431"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-86ct-zv8d-d3eb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37477?format=json","vulnerability_id":"VCID-8bg3-r2zm-kfht","summary":"Code Injection\nSymfony, when the internal routes configuration is enabled, allows remote attackers to access arbitrary services via vectors involving a URI beginning with a `/_internal` substring.","references":[{"reference_url":"https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released","reference_id":"","reference_type":"","scores":[],"url":"https://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51347?format=json","purl":"pkg:composer/symfony/symfony@2.0.20","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.0.20"},{"url":"http://public2.vulnerablecode.io/api/packages/51348?format=json","purl":"pkg:composer/symfony/symfony@2.1.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.1.5"}],"aliases":["CVE-2012-6432"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8bg3-r2zm-kfht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37424?format=json","vulnerability_id":"VCID-8tk3-fzaa-pufq","summary":"Improper Restriction of XML External Entity Reference\nXML decoding attack vector through external entities.","references":[{"reference_url":"https://symfony.com/blog/security-release-symfony-2-0-11-released","reference_id":"","reference_type":"","scores":[],"url":"https://symfony.com/blog/security-release-symfony-2-0-11-released"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51233?format=json","purl":"pkg:composer/symfony/symfony@2.0.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.0.11"}],"aliases":["GMS-2012-12"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8tk3-fzaa-pufq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44350?format=json","vulnerability_id":"VCID-91hk-tdtv-x7fp","summary":"Duplicate\nThis advisory duplicates another.","references":[{"reference_url":"https://github.com/symfony/symfony","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/symfony/symfony"},{"reference_url":"https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24894","reference_id":"CVE-2022-24894","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24894"},{"reference_url":"https://symfony.com/cve-2022-24894","reference_id":"CVE-2022-24894","reference_type":"","scores":[],"url":"https://symfony.com/cve-2022-24894"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2022-24894.yaml","reference_id":"CVE-2022-24894.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2022-24894.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24894.yaml","reference_id":"CVE-2022-24894.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24894.yaml"},{"reference_url":"https://github.com/advisories/GHSA-h7vf-5wrv-9fhv","reference_id":"GHSA-h7vf-5wrv-9fhv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h7vf-5wrv-9fhv"},{"reference_url":"https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv","reference_id":"GHSA-h7vf-5wrv-9fhv","reference_type":"","scores":[],"url":"https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63770?format=json","purl":"pkg:composer/symfony/symfony@4.4.50","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.4.50"},{"url":"http://public2.vulnerablecode.io/api/packages/63771?format=json","purl":"pkg:composer/symfony/symfony@5.4.20","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.20"},{"url":"http://public2.vulnerablecode.io/api/packages/63772?format=json","purl":"pkg:composer/symfony/symfony@6.0.20","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.20"},{"url":"http://public2.vulnerablecode.io/api/packages/63773?format=json","purl":"pkg:composer/symfony/symfony@6.1.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.1.12"},{"url":"http://public2.vulnerablecode.io/api/packages/63774?format=json","purl":"pkg:composer/symfony/symfony@6.2.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.2.6"}],"aliases":["CVE-2022-24894","GHSA-h7vf-5wrv-9fhv","GMS-2023-209","GMS-2023-212"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-91hk-tdtv-x7fp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48354?format=json","vulnerability_id":"VCID-bhnt-pgq7-yya3","summary":"Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass\nThe `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.","references":[{"reference_url":"https://github.com/symfony/symfony","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/symfony/symfony"},{"reference_url":"https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64500","reference_id":"CVE-2025-64500","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64500"},{"reference_url":"https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass","reference_id":"CVE-2025-64500-INCORRECT-PARSING-OF-PATH-INFO-CAN-LEAD-TO-LIMITED-AUTHORIZATION-BYPASS","reference_type":"","scores":[],"url":"https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml","reference_id":"CVE-2025-64500.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml","reference_id":"CVE-2025-64500.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml"},{"reference_url":"https://github.com/advisories/GHSA-3rg7-wf37-54rm","reference_id":"GHSA-3rg7-wf37-54rm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3rg7-wf37-54rm"},{"reference_url":"https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm","reference_id":"GHSA-3rg7-wf37-54rm","reference_type":"","scores":[],"url":"https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71371?format=json","purl":"pkg:composer/symfony/symfony@5.4.50","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.50"},{"url":"http://public2.vulnerablecode.io/api/packages/71372?format=json","purl":"pkg:composer/symfony/symfony@6.4.29","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.29"},{"url":"http://public2.vulnerablecode.io/api/packages/71373?format=json","purl":"pkg:composer/symfony/symfony@7.3.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.3.7"}],"aliases":["CVE-2025-64500","GHSA-3rg7-wf37-54rm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bhnt-pgq7-yya3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37740?format=json","vulnerability_id":"VCID-bktf-ejbt-2fds","summary":"Cross-Site Request Forgery (CSRF)Cross-Site Request Forgery (CSRF)\nCSRF vulnerability in the Web Profiler.","references":[{"reference_url":"https://symfony.com/cve-2014-6072","reference_id":"CVE-2014-6072","reference_type":"","scores":[],"url":"https://symfony.com/cve-2014-6072"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51932?format=json","purl":"pkg:composer/symfony/symfony@2.4.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mtb5-t6y4-w3eb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.4.9"},{"url":"http://public2.vulnerablecode.io/api/packages/51933?format=json","purl":"pkg:composer/symfony/symfony@2.5.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mtb5-t6y4-w3eb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.5.4"}],"aliases":["CVE-2014-6072"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bktf-ejbt-2fds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37702?format=json","vulnerability_id":"VCID-bvc9-d1ns-33g6","summary":"Code Injection\nThe `Yaml::parse` function in Symfony allows remote attackers to execute arbitrary PHP code via a PHP file.","references":[{"reference_url":"https://symfony.com/blog/security-release-symfony-2-0-22-and-2-1-7-released","reference_id":"","reference_type":"","scores":[],"url":"https://symfony.com/blog/security-release-symfony-2-0-22-and-2-1-7-released"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51883?format=json","purl":"pkg:composer/symfony/symfony@2.0.22","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.0.22"}],"aliases":["CVE-2013-1348"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bvc9-d1ns-33g6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44352?format=json","vulnerability_id":"VCID-c3qr-9rv2-yqh9","summary":"Duplicate\nThis advisory duplicates another.","references":[{"reference_url":"https://github.com/symfony/security-bundle/commit/076fd2088ada33d760758d98ff07ddedbf567946","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/symfony/security-bundle/commit/076fd2088ada33d760758d98ff07ddedbf567946"},{"reference_url":"https://github.com/symfony/symfony","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/symfony/symfony"},{"reference_url":"https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24895","reference_id":"CVE-2022-24895","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24895"},{"reference_url":"https://symfony.com/cve-2022-24895","reference_id":"CVE-2022-24895","reference_type":"","scores":[],"url":"https://symfony.com/cve-2022-24895"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2022-24895.yaml","reference_id":"CVE-2022-24895.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2022-24895.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24895.yaml","reference_id":"CVE-2022-24895.YAML","reference_type":"","scores":[],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24895.yaml"},{"reference_url":"https://github.com/advisories/GHSA-3gv2-29qc-v67m","reference_id":"GHSA-3gv2-29qc-v67m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3gv2-29qc-v67m"},{"reference_url":"https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m","reference_id":"GHSA-3gv2-29qc-v67m","reference_type":"","scores":[],"url":"https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63770?format=json","purl":"pkg:composer/symfony/symfony@4.4.50","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.4.50"},{"url":"http://public2.vulnerablecode.io/api/packages/63771?format=json","purl":"pkg:composer/symfony/symfony@5.4.20","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.20"},{"url":"http://public2.vulnerablecode.io/api/packages/63772?format=json","purl":"pkg:composer/symfony/symfony@6.0.20","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.20"},{"url":"http://public2.vulnerablecode.io/api/packages/63773?format=json","purl":"pkg:composer/symfony/symfony@6.1.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.1.12"},{"url":"http://public2.vulnerablecode.io/api/packages/63774?format=json","purl":"pkg:composer/symfony/symfony@6.2.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.2.6"}],"aliases":["CVE-2022-24895","GHSA-3gv2-29qc-v67m","GMS-2023-210","GMS-2023-211"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c3qr-9rv2-yqh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39965?format=json","vulnerability_id":"VCID-ef86-hqv4-6kaz","summary":"Cross-Site Request Forgery (CSRF)\nBy default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the `invalidate_session` option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.","references":[{"reference_url":"https://symfony.com/cve-2018-11406","reference_id":"CVE-2018-11406","reference_type":"","scores":[],"url":"https://symfony.com/cve-2018-11406"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55829?format=json","purl":"pkg:composer/symfony/symfony@2.8.41","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.41"},{"url":"http://public2.vulnerablecode.io/api/packages/55830?format=json","purl":"pkg:composer/symfony/symfony@3.4.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.11"},{"url":"http://public2.vulnerablecode.io/api/packages/55831?format=json","purl":"pkg:composer/symfony/symfony@4.0.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.11"}],"aliases":["CVE-2018-11406"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ef86-hqv4-6kaz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37566?format=json","vulnerability_id":"VCID-emn6-zmp1-yuhr","summary":"Information Exporure\n`Request::getHost()` poisoning vulnerability in Symfony.","references":[{"reference_url":"https://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released","reference_id":"","reference_type":"","scores":[],"url":"https://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51543?format=json","purl":"pkg:composer/symfony/symfony@2.0.24","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.0.24"},{"url":"http://public2.vulnerablecode.io/api/packages/51544?format=json","purl":"pkg:composer/symfony/symfony@2.1.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.1.12"},{"url":"http://public2.vulnerablecode.io/api/packages/51545?format=json","purl":"pkg:composer/symfony/symfony@2.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.2.5"},{"url":"http://public2.vulnerablecode.io/api/packages/51546?format=json","purl":"pkg:composer/symfony/symfony@2.3.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.3.3"}],"aliases":["CVE-2013-4752"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-emn6-zmp1-yuhr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37741?format=json","vulnerability_id":"VCID-hs5u-r1jg-tub5","summary":"Improper Access Control\nDirect access of ESI URLs behind a trusted proxy.","references":[{"reference_url":"https://symfony.com/cve-2014-5245","reference_id":"CVE-2014-5245","reference_type":"","scores":[],"url":"https://symfony.com/cve-2014-5245"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51932?format=json","purl":"pkg:composer/symfony/symfony@2.4.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mtb5-t6y4-w3eb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.4.9"},{"url":"http://public2.vulnerablecode.io/api/packages/51933?format=json","purl":"pkg:composer/symfony/symfony@2.5.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mtb5-t6y4-w3eb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.5.4"}],"aliases":["CVE-2014-5245"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hs5u-r1jg-tub5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37453?format=json","vulnerability_id":"VCID-kysh-mfs1-3fad","summary":"Improper Restriction of XML External Entity Reference\nSecurity fixes related to the way XML is handled.","references":[{"reference_url":"https://symfony.com/blog/security-release-symfony-2-0-17-released","reference_id":"","reference_type":"","scores":[],"url":"https://symfony.com/blog/security-release-symfony-2-0-17-released"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51290?format=json","purl":"pkg:composer/symfony/symfony@2.0.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.0.17"}],"aliases":["GMS-2012-13"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kysh-mfs1-3fad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37464?format=json","vulnerability_id":"VCID-mzqs-3tyf-m7ec","summary":"Improper Privilege Management\nVulnerability in the `EntityUserProvider` as provided in the Doctrine bridge.","references":[{"reference_url":"https://symfony.com/blog/security-release-symfony-2-0-6","reference_id":"","reference_type":"","scores":[],"url":"https://symfony.com/blog/security-release-symfony-2-0-6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51319?format=json","purl":"pkg:composer/symfony/symfony@2.0.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.0.6"}],"aliases":["GMS-2011-5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mzqs-3tyf-m7ec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39968?format=json","vulnerability_id":"VCID-nsuz-7sdv-abef","summary":"Insufficient Session Expiration\nThe `PDOSessionHandler` class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.","references":[{"reference_url":"https://symfony.com/cve-2018-11386","reference_id":"CVE-2018-11386","reference_type":"","scores":[],"url":"https://symfony.com/cve-2018-11386"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55829?format=json","purl":"pkg:composer/symfony/symfony@2.8.41","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.41"},{"url":"http://public2.vulnerablecode.io/api/packages/55830?format=json","purl":"pkg:composer/symfony/symfony@3.4.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.11"},{"url":"http://public2.vulnerablecode.io/api/packages/55831?format=json","purl":"pkg:composer/symfony/symfony@4.0.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.11"}],"aliases":["CVE-2018-11386"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nsuz-7sdv-abef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37742?format=json","vulnerability_id":"VCID-p131-pv18-ykht","summary":"Improper Authorization\nSecurity issue when parsing the Authorization header.","references":[{"reference_url":"https://symfony.com/cve-2014-6061","reference_id":"CVE-2014-6061","reference_type":"","scores":[],"url":"https://symfony.com/cve-2014-6061"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51932?format=json","purl":"pkg:composer/symfony/symfony@2.4.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mtb5-t6y4-w3eb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.4.9"},{"url":"http://public2.vulnerablecode.io/api/packages/51933?format=json","purl":"pkg:composer/symfony/symfony@2.5.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mtb5-t6y4-w3eb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.5.4"}],"aliases":["CVE-2014-6061"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p131-pv18-ykht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37743?format=json","vulnerability_id":"VCID-pxwk-7vcf-m7f5","summary":"Uncontrolled Resource Consumption\nDenial of service with a malicious HTTP Host header.","references":[{"reference_url":"https://symfony.com/cve-2014-5244","reference_id":"CVE-2014-5244","reference_type":"","scores":[],"url":"https://symfony.com/cve-2014-5244"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51932?format=json","purl":"pkg:composer/symfony/symfony@2.4.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mtb5-t6y4-w3eb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.4.9"},{"url":"http://public2.vulnerablecode.io/api/packages/51933?format=json","purl":"pkg:composer/symfony/symfony@2.5.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mtb5-t6y4-w3eb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.5.4"}],"aliases":["CVE-2014-5244"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pxwk-7vcf-m7f5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40154?format=json","vulnerability_id":"VCID-qqd1-smb1-sbe8","summary":"URL Rewrite vulnerability\nAn issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects `\\Symfony\\Component\\HttpFoundation\\Request::prepareRequestUri()` where `X-Original-URL` and `X_REWRITE_URL` are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.","references":[{"reference_url":"https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers","reference_id":"CVE-2018-14773-REMOVE-SUPPORT-FOR-LEGACY-AND-RISKY-HTTP-HEADERS","reference_type":"","scores":[],"url":"https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56269?format=json","purl":"pkg:composer/symfony/symfony@2.8.44","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.44"},{"url":"http://public2.vulnerablecode.io/api/packages/56270?format=json","purl":"pkg:composer/symfony/symfony@3.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/56271?format=json","purl":"pkg:composer/symfony/symfony@4.0.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.14"},{"url":"http://public2.vulnerablecode.io/api/packages/56272?format=json","purl":"pkg:composer/symfony/symfony@4.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.3"}],"aliases":["CVE-2018-14773"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qqd1-smb1-sbe8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37785?format=json","vulnerability_id":"VCID-rkap-39hu-abe9","summary":"Uncontrolled Resource Consumption\nThe Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.","references":[{"reference_url":"https://github.com/symfony/polyfill/pull/155","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/symfony/polyfill/pull/155"},{"reference_url":"https://symfony.com/blog/security-releases-cve-2013-5958-symfony-2-0-25-2-1-13-2-2-9-and-2-3-6-released","reference_id":"","reference_type":"","scores":[],"url":"https://symfony.com/blog/security-releases-cve-2013-5958-symfony-2-0-25-2-1-13-2-2-9-and-2-3-6-released"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52106?format=json","purl":"pkg:composer/symfony/symfony@2.0.25","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.0.25"},{"url":"http://public2.vulnerablecode.io/api/packages/52107?format=json","purl":"pkg:composer/symfony/symfony@2.1.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.1.13"},{"url":"http://public2.vulnerablecode.io/api/packages/52108?format=json","purl":"pkg:composer/symfony/symfony@2.2.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.2.9"},{"url":"http://public2.vulnerablecode.io/api/packages/52109?format=json","purl":"pkg:composer/symfony/symfony@2.3.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.3.6"}],"aliases":["CVE-2013-5958"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rkap-39hu-abe9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37469?format=json","vulnerability_id":"VCID-va3n-eg8b-guff","summary":"Information Exposure\nRequest::getClientIp() when the trust proxy mode is enabled.","references":[{"reference_url":"https://symfony.com/blog/security-release-symfony-2-0-19-and-2-1-4","reference_id":"","reference_type":"","scores":[],"url":"https://symfony.com/blog/security-release-symfony-2-0-19-and-2-1-4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51331?format=json","purl":"pkg:composer/symfony/symfony@2.0.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.0.19"},{"url":"http://public2.vulnerablecode.io/api/packages/51332?format=json","purl":"pkg:composer/symfony/symfony@2.1.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.1.4"}],"aliases":["GMS-2012-14"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-va3n-eg8b-guff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39963?format=json","vulnerability_id":"VCID-vyug-krcw-jyef","summary":"Session Fixation\nA session fixation vulnerability within the `Guard` login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.","references":[{"reference_url":"https://symfony.com/cve-2018-11385","reference_id":"CVE-2018-11385","reference_type":"","scores":[],"url":"https://symfony.com/cve-2018-11385"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55829?format=json","purl":"pkg:composer/symfony/symfony@2.8.41","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.41"},{"url":"http://public2.vulnerablecode.io/api/packages/55830?format=json","purl":"pkg:composer/symfony/symfony@3.4.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.11"},{"url":"http://public2.vulnerablecode.io/api/packages/55831?format=json","purl":"pkg:composer/symfony/symfony@4.0.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.11"}],"aliases":["CVE-2018-11385"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vyug-krcw-jyef"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.0.0"}