{"url":"http://public2.vulnerablecode.io/api/packages/51274?format=json","purl":"pkg:composer/friendsofsymfony/user-bundle@1.2.1","type":"composer","namespace":"friendsofsymfony","name":"user-bundle","version":"1.2.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.3.5","latest_non_vulnerable_version":"1.3.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37744?format=json","vulnerability_id":"VCID-cp9j-3948-mud8","summary":"Insufficient Entropy\nEntropy is lost in the `TokenGenerator`.","references":[{"reference_url":"https://symfony.com/blog/fosuserbundle-entropy-of-generated-tokens-is-lost","reference_id":"","reference_type":"","scores":[],"url":"https://symfony.com/blog/fosuserbundle-entropy-of-generated-tokens-is-lost"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51607?format=json","purl":"pkg:composer/friendsofsymfony/user-bundle@1.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ky5a-sata-5yf6"},{"vulnerability":"VCID-yyyq-za39-r3hh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/friendsofsymfony/user-bundle@1.3.0"}],"aliases":["GMS-2014-38"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cp9j-3948-mud8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54871?format=json","vulnerability_id":"VCID-fkq5-7t4p-jbdk","summary":"FOSUserBundle Session Hijacking Vulnerability\nVersions of FOSUserBundle from 1.2.x to 1.2.4 have been found to contain a security vulnerability related to session hijacking. This issue has been addressed in version 1.2.4, and users are strongly advised to upgrade to the latest version to prevent potential session-related security risks.","references":[{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/user-bundle/2012-07-10-2.yaml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/user-bundle/2012-07-10-2.yaml"},{"reference_url":"https://github.com/FriendsOfSymfony/FOSUserBundle","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfSymfony/FOSUserBundle"},{"reference_url":"https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Changelog.md","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Changelog.md"},{"reference_url":"https://github.com/FriendsOfSymfony/FOSUserBundle/commit/8e412a70cafd924ad04c7325dae423048861b955","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfSymfony/FOSUserBundle/commit/8e412a70cafd924ad04c7325dae423048861b955"},{"reference_url":"https://github.com/advisories/GHSA-6mjq-9x4w-m3w9","reference_id":"GHSA-6mjq-9x4w-m3w9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6mjq-9x4w-m3w9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51273?format=json","purl":"pkg:composer/friendsofsymfony/user-bundle@1.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cp9j-3948-mud8"},{"vulnerability":"VCID-ky5a-sata-5yf6"},{"vulnerability":"VCID-yyyq-za39-r3hh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/friendsofsymfony/user-bundle@1.2.4"}],"aliases":["GHSA-6mjq-9x4w-m3w9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fkq5-7t4p-jbdk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37575?format=json","vulnerability_id":"VCID-ky5a-sata-5yf6","summary":"Uncontrolled Resource Consumption\nThe login form in the FriendsOfSymfony FOSUserBundle bundle for Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-5750","reference_id":"","reference_type":"","scores":[{"value":"0.00474","scoring_system":"epss","scoring_elements":"0.65143","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00474","scoring_system":"epss","scoring_elements":"0.65101","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00474","scoring_system":"epss","scoring_elements":"0.65144","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00474","scoring_system":"epss","scoring_elements":"0.65154","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-5750"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/user-bundle/CVE-2013-5750.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/user-bundle/CVE-2013-5750.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-5750","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-5750"},{"reference_url":"http://symfony.com/blog/cve-2013-5750-security-issue-in-fosuserbundle-login-form","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://symfony.com/blog/cve-2013-5750-security-issue-in-fosuserbundle-login-form"},{"reference_url":"https://symfony.com/cve-2013-5750","reference_id":"CVE-2013-5750","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/cve-2013-5750"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51608?format=json","purl":"pkg:composer/friendsofsymfony/user-bundle@1.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cp9j-3948-mud8"},{"vulnerability":"VCID-yyyq-za39-r3hh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/friendsofsymfony/user-bundle@1.2.5"},{"url":"http://public2.vulnerablecode.io/api/packages/51609?format=json","purl":"pkg:composer/friendsofsymfony/user-bundle@1.3.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-yyyq-za39-r3hh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/friendsofsymfony/user-bundle@1.3.3"}],"aliases":["CVE-2013-5750","GHSA-9mpf-g3fc-9rgv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ky5a-sata-5yf6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54848?format=json","vulnerability_id":"VCID-yyyq-za39-r3hh","summary":"FOSUserBundle Entropy is lost in the TokenGenerator\nBecause of the usage of base_convert which looses precision for large inputs, the entropy of tokens generated by FOSUserBundle for the email confirmation and password resetting is lost. This makes these tokens much less random than they are expected to be, and so not cryptographically safe.","references":[{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/user-bundle/2014-09-04-1.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/user-bundle/2014-09-04-1.yaml"},{"reference_url":"https://github.com/FriendsOfSymfony/FOSUserBundle","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfSymfony/FOSUserBundle"},{"reference_url":"https://github.com/FriendsOfSymfony/FOSUserBundle/commit/b3ebfea52065e9727508f5f8e6c9f7459a1b06d8","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfSymfony/FOSUserBundle/commit/b3ebfea52065e9727508f5f8e6c9f7459a1b06d8"},{"reference_url":"https://symfony.com/blog/fosuserbundle-entropy-of-generated-tokens-is-lost","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/blog/fosuserbundle-entropy-of-generated-tokens-is-lost"},{"reference_url":"https://github.com/advisories/GHSA-pjx8-984p-7p3x","reference_id":"GHSA-pjx8-984p-7p3x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pjx8-984p-7p3x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81391?format=json","purl":"pkg:composer/friendsofsymfony/user-bundle@1.3.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/friendsofsymfony/user-bundle@1.3.5"}],"aliases":["GHSA-pjx8-984p-7p3x"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yyyq-za39-r3hh"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54867?format=json","vulnerability_id":"VCID-nnxf-zbvz-1qdb","summary":"FOSUserBundle User Identity Validation Vulnerability\nVersions of FOSUserBundle prior to 1.2.1 have been found to be vulnerable to a security issue related to user identity validation. Specifically, user refreshing was performed using the primary key instead of the username, leading to a potential security risk if a user is allowed to change their username. The fix in version 1.2.1 addresses this issue by loading the user using the primary key during refreshing.","references":[{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/user-bundle/2012-07-10-1.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/user-bundle/2012-07-10-1.yaml"},{"reference_url":"https://github.com/FriendsOfSymfony/FOSUserBundle","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfSymfony/FOSUserBundle"},{"reference_url":"https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Changelog.md","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Changelog.md"},{"reference_url":"https://github.com/FriendsOfSymfony/FOSUserBundle/commit/5a36e2958068d1e6501dc8cf39bbae3ebb859d9f","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfSymfony/FOSUserBundle/commit/5a36e2958068d1e6501dc8cf39bbae3ebb859d9f"},{"reference_url":"https://github.com/advisories/GHSA-8wx3-8m4x-g5h4","reference_id":"GHSA-8wx3-8m4x-g5h4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8wx3-8m4x-g5h4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51274?format=json","purl":"pkg:composer/friendsofsymfony/user-bundle@1.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cp9j-3948-mud8"},{"vulnerability":"VCID-fkq5-7t4p-jbdk"},{"vulnerability":"VCID-ky5a-sata-5yf6"},{"vulnerability":"VCID-yyyq-za39-r3hh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/friendsofsymfony/user-bundle@1.2.1"}],"aliases":["GHSA-8wx3-8m4x-g5h4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nnxf-zbvz-1qdb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37445?format=json","vulnerability_id":"VCID-sv3j-tu9a-pucg","summary":"Improper Access Control\nUser refreshing to check the identity by primary key instead of username.","references":[{"reference_url":"https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Changelog.md","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Changelog.md"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51274?format=json","purl":"pkg:composer/friendsofsymfony/user-bundle@1.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cp9j-3948-mud8"},{"vulnerability":"VCID-fkq5-7t4p-jbdk"},{"vulnerability":"VCID-ky5a-sata-5yf6"},{"vulnerability":"VCID-yyyq-za39-r3hh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/friendsofsymfony/user-bundle@1.2.1"}],"aliases":["GMS-2012-6"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sv3j-tu9a-pucg"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/friendsofsymfony/user-bundle@1.2.1"}