VulnerableCode Package Details - pkg:composer/symfony/symfony@2.0.6

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-5hbh-x575-tyeu	Symfony may allow a user to switch to using another user's identity Symfony 2.0.6 has just been released. It addresses a security vulnerability in the EntityUserProvider as provided in the Doctrine bridge. If you let your users update their login/username from a form, and if you are using Doctrine as a user provider, then you are vulnerable and you should upgrade as soon as possible. The issue is that it is possible for a user to switch to another one. Here is how to reproduce it: The current user changes its username via a form to another existing username. When the form is submitted, he will have a validation error (as the username already exists) but the user object in the session will still be modified to the new username. This user from the session will be used for the next requests and so the user will be switched to this other user. The fix is to always refresh the user via the primary key (which cannot be updated via a form) instead of the username. If you cannot upgrade immediately, please apply the following patch: https://github.com/symfony/symfony/commit/9d2ab9ca9c1762	GHSA-7mx2-7q8p-pgmw
VCID-z456-ta5n-g3fc	Improper Privilege Management Vulnerability in the `EntityUserProvider` as provided in the Doctrine bridge.	2011-11-16

Vulnerability

Summary

Aliases

VCID-5hbh-x575-tyeu

Symfony may allow a user to switch to using another user's identity Symfony 2.0.6 has just been released. It addresses a security vulnerability in the EntityUserProvider as provided in the Doctrine bridge. If you let your users update their login/username from a form, and if you are using Doctrine as a user provider, then you are vulnerable and you should upgrade as soon as possible. The issue is that it is possible for a user to switch to another one. Here is how to reproduce it: The current user changes its username via a form to another existing username. When the form is submitted, he will have a validation error (as the username already exists) but the user object in the session will still be modified to the new username. This user from the session will be used for the next requests and so the user will be switched to this other user. The fix is to always refresh the user via the primary key (which cannot be updated via a form) instead of the username. If you cannot upgrade immediately, please apply the following patch: https://github.com/symfony/symfony/commit/9d2ab9ca9c1762

GHSA-7mx2-7q8p-pgmw

VCID-z456-ta5n-g3fc

Improper Privilege Management Vulnerability in the `EntityUserProvider` as provided in the Doctrine bridge.

2011-11-16

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T18:09:55.451765+00:00	GitLab Importer	Fixing	VCID-z456-ta5n-g3fc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/2011-11-16.yml	36.1.3
2025-07-01T14:35:01.159930+00:00	GHSA Importer	Fixing	VCID-5hbh-x575-tyeu	https://github.com/advisories/GHSA-7mx2-7q8p-pgmw	36.1.3
2025-07-01T12:11:20.508286+00:00	GithubOSV Importer	Fixing	VCID-5hbh-x575-tyeu	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-7mx2-7q8p-pgmw/GHSA-7mx2-7q8p-pgmw.json	36.1.3