Search for packages
Package details: pkg:composer/symfony/security-bundle@2.7.48
purl pkg:composer/symfony/security-bundle@2.7.48
Next non-vulnerable version 2.8.41
Latest non-vulnerable version 7.1.3
Risk 4.0
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-9kvc-6wbe-1fdf
Aliases:
CVE-2018-11406
GHSA-g4g7-q726-v5hg
Symfony CSRF Token Fixation An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.
2.8.41
Affected by 0 other vulnerabilities.
3.3.17
Affected by 2 other vulnerabilities.
3.4.11
Affected by 0 other vulnerabilities.
4.0.11
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-9kvc-6wbe-1fdf Symfony CSRF Token Fixation An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. CVE-2018-11406
GHSA-g4g7-q726-v5hg
VCID-h1am-9nz5-b3cu Symfony Open Redirect The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652. CVE-2018-11408
GHSA-7hwc-2cq4-6x2w

Date Actor Action Vulnerability Source VulnerableCode Version
2025-07-03T17:27:19.609044+00:00 GitLab Importer Affected by VCID-9kvc-6wbe-1fdf https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-bundle/CVE-2018-11406.yml 37.0.0
2025-07-03T17:27:15.349292+00:00 GitLab Importer Fixing VCID-h1am-9nz5-b3cu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-bundle/CVE-2018-11408.yml 37.0.0
2025-07-01T18:10:58.386369+00:00 GitLab Importer Fixing VCID-h1am-9nz5-b3cu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-bundle/CVE-2018-11408.yml 36.1.3
2025-07-01T12:28:31.449965+00:00 GithubOSV Importer Fixing VCID-9kvc-6wbe-1fdf https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g4g7-q726-v5hg/GHSA-g4g7-q726-v5hg.json 36.1.3
2025-07-01T12:26:57.510926+00:00 GithubOSV Importer Fixing VCID-h1am-9nz5-b3cu https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7hwc-2cq4-6x2w/GHSA-7hwc-2cq4-6x2w.json 36.1.3