{"url":"http://public2.vulnerablecode.io/api/packages/55855?format=json","purl":"pkg:composer/symfony/symfony@2.8.0","type":"composer","namespace":"symfony","name":"symfony","version":"2.8.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.8.6","latest_non_vulnerable_version":"8.0.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40155?format=json","vulnerability_id":"VCID-1y96-v19f-tkgg","summary":"Improper Input Validation\nAn issue was discovered in `HttpKernel` in Symfony When using `HttpCache`, the values of the `X-Forwarded-Host` headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.","references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-14774","reference_id":"CVE-2018-14774","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-14774"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56269?format=json","purl":"pkg:composer/symfony/symfony@2.8.44","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.44"},{"url":"http://public2.vulnerablecode.io/api/packages/56280?format=json","purl":"pkg:composer/symfony/symfony@3.3.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.18"},{"url":"http://public2.vulnerablecode.io/api/packages/56270?format=json","purl":"pkg:composer/symfony/symfony@3.4.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/56271?format=json","purl":"pkg:composer/symfony/symfony@4.0.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.14"},{"url":"http://public2.vulnerablecode.io/api/packages/56272?format=json","purl":"pkg:composer/symfony/symfony@4.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.3"}],"aliases":["CVE-2018-14774"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1y96-v19f-tkgg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40985?format=json","vulnerability_id":"VCID-23hr-yznx-c3fb","summary":"Improper Authentication\nIn Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled.","references":[{"reference_url":"https://symfony.com/cve-2019-10911","reference_id":"CVE-2019-10911","reference_type":"","scores":[],"url":"https://symfony.com/cve-2019-10911"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58019?format=json","purl":"pkg:composer/symfony/symfony@2.8.50","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.50"},{"url":"http://public2.vulnerablecode.io/api/packages/58020?format=json","purl":"pkg:composer/symfony/symfony@3.4.26","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.26"},{"url":"http://public2.vulnerablecode.io/api/packages/58021?format=json","purl":"pkg:composer/symfony/symfony@4.2.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.7"}],"aliases":["CVE-2019-10911"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-23hr-yznx-c3fb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40103?format=json","vulnerability_id":"VCID-3qct-gbgt-kkbb","summary":"Cross-site Scripting\nThe debug handler in Symfony has an XSS via an array key during exception pretty printing in `ExceptionHandler.php`, as demonstrated by a `/_debugbar/open?op`=get` URI.","references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18343","reference_id":"CVE-2017-18343","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18343"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56129?format=json","purl":"pkg:composer/symfony/symfony@2.8.26","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.26"},{"url":"http://public2.vulnerablecode.io/api/packages/55844?format=json","purl":"pkg:composer/symfony/symfony@3.2.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-djnm-e9r4-c3f5"},{"vulnerability":"VCID-dsbx-q641-4fc7"},{"vulnerability":"VCID-xdtu-22ad-63aq"},{"vulnerability":"VCID-xj13-fspe-hfgv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.2.13"},{"url":"http://public2.vulnerablecode.io/api/packages/56130?format=json","purl":"pkg:composer/symfony/symfony@3.3.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.3.6"}],"aliases":["CVE-2017-18343"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3qct-gbgt-kkbb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40980?format=json","vulnerability_id":"VCID-6c6t-kmb3-2qcm","summary":"Cross-site Scripting\nIn Symfony, validation messages are not escaped, which can lead to XSS when user input is included.","references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10909","reference_id":"CVE-2019-10909","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10909"},{"reference_url":"https://symfony.com/cve-2019-10909","reference_id":"CVE-2019-10909","reference_type":"","scores":[],"url":"https://symfony.com/cve-2019-10909"},{"reference_url":"https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine","reference_id":"CVE-2019-10909-ESCAPE-VALIDATION-MESSAGES-IN-THE-PHP-TEMPLATING-ENGINE","reference_type":"","scores":[],"url":"https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58019?format=json","purl":"pkg:composer/symfony/symfony@2.8.50","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.50"},{"url":"http://public2.vulnerablecode.io/api/packages/58020?format=json","purl":"pkg:composer/symfony/symfony@3.4.26","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.26"},{"url":"http://public2.vulnerablecode.io/api/packages/58021?format=json","purl":"pkg:composer/symfony/symfony@4.2.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.7"}],"aliases":["CVE-2019-10909"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6c6t-kmb3-2qcm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40978?format=json","vulnerability_id":"VCID-7m45-bvbn-4qd3","summary":"SQL Injection\nIn Symfony HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS.","references":[{"reference_url":"https://symfony.com/cve-2019-10913","reference_id":"CVE-2019-10913","reference_type":"","scores":[],"url":"https://symfony.com/cve-2019-10913"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58019?format=json","purl":"pkg:composer/symfony/symfony@2.8.50","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.50"},{"url":"http://public2.vulnerablecode.io/api/packages/58020?format=json","purl":"pkg:composer/symfony/symfony@3.4.26","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.26"},{"url":"http://public2.vulnerablecode.io/api/packages/58021?format=json","purl":"pkg:composer/symfony/symfony@4.2.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.7"}],"aliases":["CVE-2019-10913"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7m45-bvbn-4qd3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40525?format=json","vulnerability_id":"VCID-frbz-vpfe-vbh9","summary":"Unrestricted Upload of File with Dangerous Type\nWhen using the scalar type hint `string` in a setter method (e.g. `setName(string$name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.","references":[{"reference_url":"https://symfony.com/cve-2018-19789","reference_id":"CVE-2018-19789","reference_type":"","scores":[],"url":"https://symfony.com/cve-2018-19789"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57135?format=json","purl":"pkg:composer/symfony/symfony@2.8.49","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.49"},{"url":"http://public2.vulnerablecode.io/api/packages/57136?format=json","purl":"pkg:composer/symfony/symfony@3.4.20","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.20"},{"url":"http://public2.vulnerablecode.io/api/packages/57137?format=json","purl":"pkg:composer/symfony/symfony@4.0.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.15"},{"url":"http://public2.vulnerablecode.io/api/packages/57138?format=json","purl":"pkg:composer/symfony/symfony@4.1.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.9"},{"url":"http://public2.vulnerablecode.io/api/packages/57139?format=json","purl":"pkg:composer/symfony/symfony@4.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.1"}],"aliases":["CVE-2018-19789"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-frbz-vpfe-vbh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40526?format=json","vulnerability_id":"VCID-mew1-9shg-mugs","summary":"URL Redirection to Untrusted Site (Open Redirect)\nBy using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.","references":[{"reference_url":"https://symfony.com/cve-2018-19790","reference_id":"CVE-2018-19790","reference_type":"","scores":[],"url":"https://symfony.com/cve-2018-19790"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57135?format=json","purl":"pkg:composer/symfony/symfony@2.8.49","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.49"},{"url":"http://public2.vulnerablecode.io/api/packages/57136?format=json","purl":"pkg:composer/symfony/symfony@3.4.20","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.20"},{"url":"http://public2.vulnerablecode.io/api/packages/57137?format=json","purl":"pkg:composer/symfony/symfony@4.0.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.15"},{"url":"http://public2.vulnerablecode.io/api/packages/57138?format=json","purl":"pkg:composer/symfony/symfony@4.1.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.1.9"},{"url":"http://public2.vulnerablecode.io/api/packages/57139?format=json","purl":"pkg:composer/symfony/symfony@4.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.1"}],"aliases":["CVE-2018-19790"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mew1-9shg-mugs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39970?format=json","vulnerability_id":"VCID-tx26-92jc-rkff","summary":"URL Redirection to Untrusted Site (Open Redirect)\nThe security handlers in the Security component in Symfony have an Open redirect vulnerability when `security.http_utils` is inlined by a container.","references":[{"reference_url":"https://symfony.com/cve-2018-11408","reference_id":"CVE-2018-11408","reference_type":"","scores":[],"url":"https://symfony.com/cve-2018-11408"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55829?format=json","purl":"pkg:composer/symfony/symfony@2.8.41","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.41"},{"url":"http://public2.vulnerablecode.io/api/packages/55830?format=json","purl":"pkg:composer/symfony/symfony@3.4.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.11"},{"url":"http://public2.vulnerablecode.io/api/packages/55831?format=json","purl":"pkg:composer/symfony/symfony@4.0.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.11"}],"aliases":["CVE-2018-11408"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tx26-92jc-rkff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39967?format=json","vulnerability_id":"VCID-uuk9-e5qy-rfgf","summary":"Improper Authentication\nAn issue was discovered in the Ldap component in Symfony. It allows remote attackers to bypass authentication by logging in with a `null` password and valid username, which triggers an unauthenticated bind.","references":[{"reference_url":"https://symfony.com/cve-2018-11407","reference_id":"CVE-2018-11407","reference_type":"","scores":[],"url":"https://symfony.com/cve-2018-11407"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55856?format=json","purl":"pkg:composer/symfony/symfony@2.8.37","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.37"},{"url":"http://public2.vulnerablecode.io/api/packages/55857?format=json","purl":"pkg:composer/symfony/symfony@3.4.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.7"},{"url":"http://public2.vulnerablecode.io/api/packages/55858?format=json","purl":"pkg:composer/symfony/symfony@4.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.0.7"}],"aliases":["CVE-2018-11407"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uuk9-e5qy-rfgf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40979?format=json","vulnerability_id":"VCID-zeut-9wfp-q7et","summary":"Deserialization of Untrusted Data\nIn Symfony it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to.","references":[{"reference_url":"https://symfony.com/cve-2019-10912","reference_id":"CVE-2019-10912","reference_type":"","scores":[],"url":"https://symfony.com/cve-2019-10912"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58019?format=json","purl":"pkg:composer/symfony/symfony@2.8.50","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.50"},{"url":"http://public2.vulnerablecode.io/api/packages/58020?format=json","purl":"pkg:composer/symfony/symfony@3.4.26","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.26"},{"url":"http://public2.vulnerablecode.io/api/packages/58021?format=json","purl":"pkg:composer/symfony/symfony@4.2.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.2.7"}],"aliases":["CVE-2019-10912"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zeut-9wfp-q7et"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.0"}