VulnerableCode Package Details - pkg:composer/symfony/security@2.3.35

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ap6u-129r-9kcg	Symfony Session Fixation Vulnerability A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven't been released yet and the fix will be included in their first stable releases.	CVE-2015-8124 GHSA-j5jh-hpr4-h332
VCID-m81q-5z8a-4khm	Symfony Vulnerable to Timing Attack Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) `Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices` or (2) `Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener` class in the Symfony Security Component, or (3) legacy CSRF implementation from the `Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider` class in the Symfony Form component.	CVE-2015-8125 GHSA-g97c-jfx6-xvxh

Vulnerability

Summary

Aliases

VCID-ap6u-129r-9kcg

Symfony Session Fixation Vulnerability A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven't been released yet and the fix will be included in their first stable releases.

CVE-2015-8124
GHSA-j5jh-hpr4-h332

VCID-m81q-5z8a-4khm

Symfony Vulnerable to Timing Attack Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) `Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices` or (2) `Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener` class in the Symfony Security Component, or (3) legacy CSRF implementation from the `Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider` class in the Symfony Form component.

CVE-2015-8125
GHSA-g97c-jfx6-xvxh

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T18:10:08.592174+00:00	GitLab Importer	Fixing	VCID-ap6u-129r-9kcg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2015-8124.yml	36.1.3
2025-07-01T18:10:08.512070+00:00	GitLab Importer	Fixing	VCID-m81q-5z8a-4khm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2015-8125.yml	36.1.3
2025-07-01T12:27:22.713388+00:00	GithubOSV Importer	Fixing	VCID-m81q-5z8a-4khm	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g97c-jfx6-xvxh/GHSA-g97c-jfx6-xvxh.json	36.1.3
2025-07-01T12:26:30.663868+00:00	GithubOSV Importer	Fixing	VCID-ap6u-129r-9kcg	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j5jh-hpr4-h332/GHSA-j5jh-hpr4-h332.json	36.1.3