VulnerableCode Package Details - pkg:composer/symfony/security-bundle@6.2.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-7635-g8dq-bubu Aliases: CVE-2024-50341 GHSA-jxgr-3v7q-3w9v	Symfony's `Security::login` does not take into account custom `user_checker` ### Description The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. ### Resolution The `Security::login` method now ensure to call the configured `user_checker`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105) for branch 6.4. ### Credits We would like to thank Oleg Andreyev, Antoine MAKDESSI for reporting the issue and Christian Flothmann for providing the fix.	6.4.10 Affected by 0 other vulnerabilities. 7.0.10 Affected by 0 other vulnerabilities. 7.1.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-7635-g8dq-bubu
Aliases:
CVE-2024-50341
GHSA-jxgr-3v7q-3w9v

Symfony's `Security::login` does not take into account custom `user_checker` ### Description The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. ### Resolution The `Security::login` method now ensure to call the configured `user_checker`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105) for branch 6.4. ### Credits We would like to thank Oleg Andreyev, Antoine MAKDESSI for reporting the issue and Christian Flothmann for providing the fix.

6.4.10
Affected by 0 other vulnerabilities.

7.0.10
Affected by 0 other vulnerabilities.

7.1.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3p45-9gge-y3d9	Symfony vulnerable to Session Fixation of CSRF tokens Description ----------- When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables [same-site attackers](https://canitakeyoursubdomain.name/) to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. Resolution ---------- Symfony removes all CSRF tokens from the session on successful login. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4) for branch 4.4. Credits ------- We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.	CVE-2022-24895 GHSA-3gv2-29qc-v67m GMS-2023-210 GMS-2023-211

Vulnerability

Summary

Aliases

VCID-3p45-9gge-y3d9

Symfony vulnerable to Session Fixation of CSRF tokens Description ----------- When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables [same-site attackers](https://canitakeyoursubdomain.name/) to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. Resolution ---------- Symfony removes all CSRF tokens from the session on successful login. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4) for branch 4.4. Credits ------- We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.

CVE-2022-24895
GHSA-3gv2-29qc-v67m
GMS-2023-210
GMS-2023-211

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-04T13:57:07.099462+00:00	GitLab Importer	Fixing	VCID-3p45-9gge-y3d9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-bundle/GMS-2023-210.yml	37.0.0
2025-07-03T19:14:56.257381+00:00	GitLab Importer	Affected by	VCID-7635-g8dq-bubu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-bundle/CVE-2024-50341.yml	37.0.0
2025-07-03T16:52:44.277175+00:00	GHSA Importer	Fixing	VCID-3p45-9gge-y3d9	https://github.com/advisories/GHSA-3gv2-29qc-v67m	37.0.0
2025-07-01T12:14:50.238964+00:00	GithubOSV Importer	Fixing	VCID-3p45-9gge-y3d9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-3gv2-29qc-v67m/GHSA-3gv2-29qc-v67m.json	36.1.3