Search for packages
| purl | pkg:composer/symfony/form@3.1.3 |
| Next non-vulnerable version | 6.0.0-BETA1 |
| Latest non-vulnerable version | 6.2.0-BETA1 |
| Risk |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-64bd-n2s2-9qcj
Aliases: CVE-2022-24894 GHSA-h7vf-5wrv-9fhv GMS-2023-209 GMS-2023-212 |
Symfony storing cookie headers in HttpCache Description ----------- The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients. In a recent `AbstractSessionListener` change, the response might now contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session. Resolution ---------- The `HttpStore` constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers. The default value for this parameter is `Set-Cookie`, but it can be overridden or extended by the application. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb) for branch 4.4. Credits ------- We would like to thank Soner Sayakci for reporting the issue and Nicolas Grekas for fixing it. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-73dj-ezgp-efc3
Aliases: CVE-2018-19789 GHSA-x3cf-w64x-4cp2 |
Symfony Path Disclosure An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `string` in a setter method (e.g. `setName(string $name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-7gzy-b9hc-zuh2
Aliases: CVE-2021-21424 GHSA-5pv8-ppvj-4h68 |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. |
|
VCID-tgmn-cwth-ukcu
Aliases: CVE-2022-23601 GHSA-vvmr-8829-6whx |
CSRF token missing in Symfony Description ----------- The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. Resolution ---------- Symfony restored the default configuration to enable the CSRF protection by default. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/f0ffb775febdf07e57117aabadac96fa37857f50) for branch 5.3. Credits ------- We would like to thank Catalin Dan and David Lochner for reporting the issue and Jérémy Derussé for fixing the issue. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-07-03T18:38:25.838316+00:00 | GitLab Importer | Affected by | VCID-64bd-n2s2-9qcj | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/form/CVE-2022-24894.yml | 37.0.0 |
| 2025-07-03T18:09:56.779857+00:00 | GitLab Importer | Affected by | VCID-tgmn-cwth-ukcu | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/form/CVE-2022-23601.yml | 37.0.0 |
| 2025-07-03T17:59:26.697682+00:00 | GitLab Importer | Affected by | VCID-7gzy-b9hc-zuh2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/form/CVE-2021-21424.yml | 37.0.0 |
| 2025-07-03T17:30:51.908197+00:00 | GitLab Importer | Affected by | VCID-73dj-ezgp-efc3 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/form/CVE-2018-19789.yml | 37.0.0 |