Search for packages
| purl | pkg:composer/symfony/security-http@5.0.0-BETA1 |
| Next non-vulnerable version | 7.1.8 |
| Latest non-vulnerable version | 7.2.0-BETA1 |
| Risk | 3.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-hm1q-8mjy-47ek
Aliases: CVE-2024-36611 GHSA-7q22-x757-cmgc |
Withdrawn Advisory: Symfony http-security has authentication bypass ## Withdrawn Advisory This advisory has been withdrawn because the report is not part of a valid vulnerability. This link is maintained to preserve external references. For more information, see advisory-database/pull/5046. ## Original Description In Symfony, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-7gzy-b9hc-zuh2 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4. |
CVE-2021-21424
GHSA-5pv8-ppvj-4h68 |
| VCID-s8he-qcmk-zqa9 | Firewall configured with unanimous strategy was not actually unanimous in Symfony Description ----------- On Symfony before 4.4.0, when a `Firewall` checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if *all* calls to the `accessDecisionManager` decide to grant access. As of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as `accessDecisionManager` decide to grant access on one attribute. Resolution ---------- The `accessDecisionManager` is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf) for the 4.4 branch. Credits ------- I would like to thank Antonio J. García Lagar for reporting & Robin Chalas for fixing the issue. |
CVE-2020-5275
GHSA-g4m9-5hpf-hx72 |
| VCID-xv9e-a7qq-63a1 | Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters ### Description Some Twig filters in CodeExtension use "is_safe=html" but don't actually ensure their input is safe. ### Resolution Symfony now escapes the output of the affected filters. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c) for branch 4.4. ### Credits We would like to thank Pierre Rudloff for reporting the issue and to Nicolas Grekas for providing the fix. |
CVE-2023-46734
GHSA-q847-2q57-wmr3 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-07-03T19:16:31.977555+00:00 | GitLab Importer | Affected by | VCID-hm1q-8mjy-47ek | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2024-36611.yml | 37.0.0 |
| 2025-07-03T18:53:05.536958+00:00 | GitLab Importer | Fixing | VCID-xv9e-a7qq-63a1 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2023-46734.yml | 37.0.0 |
| 2025-07-03T17:59:32.267790+00:00 | GitLab Importer | Fixing | VCID-7gzy-b9hc-zuh2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2021-21424.yml | 37.0.0 |
| 2025-07-03T17:40:03.382858+00:00 | GitLab Importer | Fixing | VCID-s8he-qcmk-zqa9 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2020-5275.yml | 37.0.0 |